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INDUSTRY SPEAKS ON CYBERSECURITY 


TUESDAY, JULY 15, 2003 

U.S. House of Representatives 
Subcommittee on Cybersecurity, Science 

and Research and Development 
Select Committee on Homeland Security, 

Washington, D.C. 

The subcommittee met, pursuant to call, at 10:02 a.m., in Room 
2118, Rayburn House Office Building, Hon. William Thornberry 
[chairman of the subcommittee] presiding. 

Present: Representatives Thornberry, Sessions, Boehlert, Smith, 
Camp, Linder, Lofgren, Sanchez, Andrews, Jackson Lee, 
Christensen, Etheridge, Lucas, Langevin, Meek, Cox (ex officio), 
Turner (ex officio), also present, Dunn. 

Mr. Thornberry. [Presiding.] The hearing will come to order. 

This hearing of the Subcommittee on Cybersecurity, Science, Re- 
search & Development will take testimony today on industry per- 
spectives on cybersecurity. 

And let me first thank each of the witnesses for making the ef- 
fort to be here today. As you look down the line, it is truly not only 
a group that has a lot to offer to this subcommittee, but the world 
leaders in so many fields. 

So I appreciate each of you being here, and I appreciate the staff 
being able to assemble this panel and all we have, and enable us 
to learn from it. 

Ms. Lofgren and I again ask unanimous consent that members 
other than the chairman and ranking member waive oral written 
statements — oral opening statements, written opening statements 
will be made part of the record and each of the witnesses written 
statements will also be made a part of our record. 

And at this time the Chair will yield to the distinguished 
gentlelady from California, Ranking Member Ms. Lofgren. 

Ms. Lofgren. Thank you, Mr. Chairman. 

This is a terrific panel and I know that we at the end of the day 
will know more about what we face as a nation in the area of 
cybersecurity and will have, I think, a better idea of the prudent 
steps that we should take. 

I am especially pleased — I mean, every one of the witnesses is 
spectacular — but I would like to issue a special welcome to Whit 
Dififie, who was part of the encryption wars that Mr. Goodlatte and 
I engaged in with so many of the members of the committee a few 
years ago, and the inventor of public key encryption. 

I hope that as we hear from the witnesses, we can particularly 
hear about your company’s investment into research and develop- 
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ment on cyber vulnerabilities, and without going into specifics, 
learn about the various types of cyber attacks your company has 
faced in the past year, your company’s policies on information-shar- 
ing relative to cyber attacks as well as any experience you have 
had in dealing with the Department of Homeland Security. 

As the chairman and I have discussed in past occasions, I think 
we all know the issue really is what benchmarks do we put in 
place, how do we audit or ensure benchmarks are being met, and 
which carrot and stick do we put in place. 

And those are broad categories, but the details are troublesome. 

And so that is what we are, I think, dealing with and we know 
that most of the infrastructure that needs to be protected is in the 
private sector, so it is absolutely so important that you are here 
today. 

And I would ask — well, we already have consent to put my full 
statement into the record. 

And I thank the chairman for yielding. 

Mr. Thornberry. Thank you, gentlelady. 

And I think we see things exactly the same. 

We are not going to be successful as a country without a partner- 
ship with each of you and other industry folks. 

So at this time I want to turn to our witnesses. 

As I mentioned, your full written statement will be made part of 
the record, and I will invite each of you to either summarize it or 
make such comments as you wish. 

We are going to go down the row. 

And I am going to start with Philip Reitinger, who is senior secu- 
rity strategist with Microsoft. 

Thank you for being here with us today. 

And you are recognized for five minutes. 

STATEMENT OF MR. PHIL REITINGER, SENIOR SECURITY 
STRATEGIST, MICROSOFT CORPORATION 

Mr. Reitinger. Thank you very much. 

Good morning. 

Good morning, Chairman Thornberry, Ranking Member Lofgren, 
and members of the subcommittee. 

As the chairman indicated, my name is Phillip Reitinger, and I 
am a senior security strategist with Microsoft Corporation. 

I want to thank you for the opportunity to appear before you 
here today to provide our views on an issue that affects govern- 
ment, businesses and consumers — cybersecurity. Microsoft is deep- 
ly committed to confronting the challenges of cybersecurity and we 
recognize our responsibility to make our products ever more secure. 

Our efforts accelerated after September 11 and crystallized when 
Bill Gates launched our trustworthy computing initiative in Janu- 
ary 2002. Trustworthy computing is Microsoft’s top priority and in- 
volves every aspect of the company. Last year, we had all 8,500 de- 
velopers on the Windows team stop developing new code to focus 
on security. We spent over two months training our developers, re- 
viewing the security of existing codes, reducing potential 
vulnerabilities, modeling threats, and conducting penetration test- 
ing of the code. This critical investment cost us an estimated $200 
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million dollars and delayed by months the release of our recent 
Windows Server 2003 product. 

Trustworthy computing, broadly, means that we are working to 
ensure that computers better protect the security of personal and 
corporate information, enable people in organizations to control 
how their information is used, and are more reliable. Security, pri- 
vacy, reliability and business integrity are the core pillars of our 
trustworthy computing initiative. In this effort, we are working to 
create products and services that are secure by design, secure by 
default, secure in deployment, and to communicate openly about se- 
curity. 

Secure by design means two things. Writing more secure code 
and architecting more secure products and services. Secure by de- 
fault means writing computer software that is secure out of the 
box, whether in a home environment or an IT department. Secure 
in deployment means making it easier for consumers and IT profes- 
sionals to maintain the security of their systems. And communica- 
tions means sharing what we have learned, both within and out- 
side of Microsoft, particularly through our industry-leading re- 
sponse center. 

The trustworthy computing goals are ingrained in our culture 
and are part of the way we value our work. Yet, we recognize that 
trustworthy computing and improved cybersecurity will not result 
from the efforts of one company alone. As demonstrated by my col- 
leagues on this panel, we are not alone in these efforts. Microsoft 
is dedicated to working together with these industry partners and 
with government leaders to make the goals of trustworthy com- 
puting an industry-wide reality. 

We do so in a number of forums, including the IT ISACs, the 
Partnership for Critical Infrastructure Security, the National 
Cybersecurity Alliance and the Trusted Computing Group. We also 
recognize that technology, alone, cannot provide a complete answer. 

I want to outline a few specific areas where government policy 
can help promote cybersecurity. First, the government can help by 
recognizing IT products engineered for security and by securing its 
own systems. This can include purchasing common-criteria certified 
products, and even awarding a Malcolm Baldrige type of award for 
security solutions. 

Secondly, we support additional federal funding for cybersecurity 
research development, including university-driven research that 
can be transferred to the private sector so that industry can further 
develop this technology and deploy it widely. 

Third, we support an international law enforcement framework 
that establishes minimum criminal liability and penalty rules for 
cyber crime, so that cyber attackers cannot escape punishment for 
attacks against the United States by seeking refuge outside our 
borders. 

Fourth, the government must be both a provider as well as a con- 
sumer of valuable threat information. 

Finally, even with the creation of the Department of Homeland 
Security and the National Cybersecurity Division, both of which 
Microsoft supported, cybersecurity remains an interagency prob- 
lem. Without a multi-disciplinary effort by both government and in- 
dustry, we will not succeed. 
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In conclusion, Microsoft is committed to strengthening the secu- 
rity of our products and services and is equally committed to work- 
ing with governments and our industry peers on security issues. 

In the end a coordinated response to cybersecurity risks offers 
the greatest hope for promoting security and fostering the growth 
of a vibrant online economy. Thank you very much. 

[The statement of Mr. Reitinger follows:] 

PREPARED STATEMENT OF MR. PHILIP REITINGER 

Chainnan Thornberry, Ranking Member Lofgren, and Members of the Sub- 
committee: My name is Philip Reitinger, and I am a Senior Security Strategist at 
Microsoft reporting directly to Microsoft’s Chief Security Strategist. I want to thank 
you for the opportunity to appear today to provide our views on an issue that affects 
governments, businesses, and consumers around the world — cybersecurity. It is the 
responsibility of all of us to ensure that the tremendous benefits of technology for 
governments, business and consumers are not thwarted by attacks on our computer 
systems. Because most cyber attacks are not discovered or, if discovered, are not re- 
ported, and because we have no national or international statistically rigorous meas- 
urement of damages from cyber crime, the exact cost of cyber attacks to companies 
and consumers is unknown. But four things are clear: 

First, there are people in cyberspace who seek to corrupt our systems. These 
criminals act with the knowledge that they are highly unlikely to be caught, let 
alone prosecuted and imprisoned. 

Second, the known damages are significant — perhaps in the billions of dollars an- 
nually. Software applications and operating systems, and the networks on which 
they reside, are ubiquitous and integral to society, and attacks upon them can cause 
significant disruption. 

Third, as September 11th taught us, our preconceived notions of the risk from ter- 
rorism and other threats may underestimate the actual risk by orders of magnitude. 
A cyber attack on the backbone of one of our nation’s critical information infrastruc- 
tures could disrupt America’s physical and economic well-being and have a massive 
worldwide impact. 

Fourth, and most important, these attacks have an impact greater than imme- 
diate financial loss. Perhaps their greatest cost is the loss of consumer trust in infor- 
mation technology. Without such trust, society cannot realize the full potential of 
information technology. Thus, the effort to achieve cybersecurity — to achieve the 
trust necessary to reap the benefits of the digital age — is a critical priority for us 
all. 

At Microsoft, we are deeply committed to cybersecurity and we recognize our re- 
sponsibility to make our products ever more secure. We are at the forefront of indus- 
try efforts to enhance the security of computer programs, products and networks, 
and better protect our critical information infrastructures. We also work closely with 
our partners in industry, government agencies and law enforcement around the 
world to identify security threats to computer networks, share best practices, im- 
prove our coordinated response to security breaches, and prevent computer attacks 
from happening in the first place. These efforts accelerated after September 11 and 
crystallized when Bill Gates launched our Trustworthy Computing initiative in Jan- 
uary 2002. 

Today, I want to describe the ways in which we believe industry and government 
can work in partnership to promote cybersecurity. First, I will discuss our commit- 
ment to Trustworthy Computing and how it is reflected in our products and our re- 
search and development efforts. Next, I will discuss our efforts to join forces with 
industry and government to help guard against cyber-threats and enhance security 
for businesses and consumers. Finally, I will address government’s critical and tai- 
lored role in enhancing cybersecurity. 

Microsoft’s Commitment to Trustworthy Computing 

Trustworthy Computing is Microsoft’s top priority and involves every aspect of the 
company. Last year, we had all 8,500 developers on the Windows team stop devel- 
oping new code to focus on security. We spent over two months training our devel- 
opers, reviewing the security of existing code, reducing potential vulnerabilities, 
modeling threats and conducting penetration testing of the code. This effort cost us 
an estimated $200 million dollars, and delayed by months the release of our recent 
Windows Server 2003 product. But we know that it was worth these costs, and it 
was a critical step to enhance the security of Microsoft’s key software platform. 
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“Trustworthy Computing” broadly means that we are working to ensure that com- 
puters better protect the security of personal and corporate information, enable peo- 
ple and organizations to control how their information is used, and are more reli- 
able. We also are working to ensure that when problems do arise, they can be re- 
solved immediately and predictably. Security, privacy, reliability and business integ- 
rity are the core pillars of our Trustworthy Computing initiative. 

The security pillar of Trustworthy Computing is most relevant for today’s hearing. 
Under this pillar, Microsoft is working to create products and services that are Se- 
cure by Design, Secure by Default, and Secure in Deployment, and to communicate 
openly about security. 

• “Secure by Design” means two things: writing more secure code and 
architecting more secure products and services. Writing more secure code means 
using a redesigned software development process that includes training for de- 
velopers, code reviews, automated testing of code, threat modeling, and penetra- 
tion testing. Architecting more secure products and services means designing 
products with built in and aware security, so that security imposes less of a 
burden on users and security features are actually used. 

• “Secure by Default” means that computer software is secure out of the box, 
whether it is in a home environment or an IT department. It means shipping 
products to customers in a locked-down configuration with many features 
turned off, allowing customers to configure their systems appropriately, in a 
more secure way, for their unique environment. 

• “Secure in Deployment” means making it easier for consumers and IT profes- 
sionals to maintain the security of their systems. We have a role in helping con- 
sumers help themselves by creating easy-to-use security technology. Due to the 
complexity of software and multiple environments in which it may be placed, 
software will never be perfectly secure while also being functional. Accordingly, 
“secure in deployment” means providing training on threats and security; offer- 
ing guidance on how to deploy, configure and maintain products securely; and 
providing better security tools for users, so that when a vulnerability is discov- 
ered, the process of patching that vulnerability is simple and effective. 

• “Communications” means sharing what we learn both within and outside of 
Microsoft, providing clear channels for people to talk to us about security issues, 
and addressing those issues with governments, our industry counterparts, and 
the public. 

The Trustworthy Computing goals are real and specific, and this effort is now in- 
grained in our culture and is part of the way we value our work. It is demonstrated 
by our enhanced software development process. It is demonstrated by our continued 
development of more sophisticated security tools, including threat models and risk 
assessments, to better identify potential security flaws in our products. It is dem- 
onstrated by our formation of what we believe to be the industry’s best security re- 
sponse center to investigate immediately any reported product vulnerability and 
build and disseminate the needed security fix. And perhaps more clearly than any- 
thing else, it is demonstrated by our delay in releasing a product for months to con- 
tinue to improve its security. In short, security is — as it should be — a fundamental 
corporate value. We make every effort to address security in the initial product de- 
sign, during product development, and before a product’s release, and we remain 
committed to security in the product once it has gone to market. 

At times, of course, people worry that increased security may lead to an erosion 
of privacy. It is important to note that we do not view security and privacy as in 
inevitable conflict. In fact, we think technology can help protect both simulta- 
neously. We hear repeatedly from customers that they need new ways to control 
how their digital information is used and distributed. In response, we are working 
on a number of emerging rights management technologies that will help protect 
many kinds of digital content and open new avenues for its secure and controlled 
use. For example, we are on the verge of releasing Microsoft Windows Rights Man- 
agement Services (RMS), a premium service for Windows Server 2003 that works 
with applications to help customers protect sensitive web content, documents and 
e-mail. The rights protection persists in the data regardless of where the informa- 
tion goes, whether online or offline. In this way it allows ordinary users and enter- 
prises to take full advantage of the functionality and flexibility offered by the digital 
network environment — from sharing information and entertainment to transacting 
business — while providing greater privacy and persistent protections. 

Much work on Trustworthy Computing, however, remains ahead of us. One key 
piece of that work is the Next-Generation Secure Computing Base (NGSCB). This 
is an on-going research and development effort to help create a safer computing en- 
vironment for users by giving them access to four core hardware-based features 
missing in today’s PCs: strong process isolation, sealed storage, a secure path to and 
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from the user, and strong assurances of software identity. These changes, which re- 
quire new PC hardware and software, can provide protection against malicious soft- 
ware and enhance user privacy, computer security, data protection and system in- 
tegrity. We believe these evolutionary changes ultimately will help provide individ- 
uals and enterprises with greater system integrity, information security and per- 
sonal privacy, and will help transform the PC into a platform that can perform 
trusted operations, to the benefit of consumers. 

Microsoft’s Collaboration with Third Parties on Security Initiatives 

Notwithstanding the robust nature of our own efforts, we recognize that Trust- 
worthy Computing and improved cybersecurity will not result from the efforts of one 
company alone. And, as will be demonstrated by my colleagues from this and the 
next panel, we are not alone in these efforts — responsible information technology 
companies increasingly focus on security as a key corporate goal. Microsoft is dedi- 
cated to working together with these industry partners and with government lead- 
ers to make the goals of Trustworthy Computing an industry-wide reality. For ex- 
ample, as part of our work on NGSCB, we work with a variety of hardware and 
software partners to ensure that the PC platform has built-in protection against fu- 
ture viruses, threats from hackers, and unauthorized access to private information 
and digital property. 

In April of this year, we joined four other industry partners (AMD, Intel, IBM and 
Hewlett-Packard) in establishing the Trusted Computing Group (TCG), a not-for- 
profit organization formed to develop, define, and promote open standards for hard- 
ware-enabled trusted computing and security technologies. The primary goal is to 
help users protect their information assets (data, passwords, keys, etc.) from exter- 
nal software attack and physical theft and to provide these protections across mul- 
tiple platforms, such as servers, PDAs, and digital phones. 

In addition to these efforts, Microsoft remains committed to a multi-disciplinary 
approach to security that extends beyond technical solutions and specifications. 
Early detection and warning of cybersecurity threats, public education on 
cybersecurity, incident response, and prosecution of cyber-crimes, among other 
things, are all key aspects of creating a more secure computing environment. In 
order to have effective prevention and response, there must be an emphasis on co- 
operation and information sharing. For this reason, we have been supporters of the 
National Cyber Security Alliance and the Partnership for Critical Infrastructure Se- 
curity, and we work closely with government agencies and other industry partici- 
pants on both an informational and operational level to prevent and investigate 
computer intrusions and attacks. 

We also helped found the Information Technology - Information Sharing and 
Analysis Center (IT-ISAC) and provided its first president. The IT-ISAC coordi- 
nates information-sharing on cyber-events among information technology companies 
and the government. We continue to support and are working with other members 
to improve the IT-ISAC’s efforts to coordinate among members, with the govern- 
ment, and with other ISACs. Such efforts are critical because this nation’s infra- 
structures were and are designed, deployed, and maintained by the private sector. 
The interdependencies among infrastructure sectors mean that damage caused by 
an attack on one sector may have disruptive and perhaps devastating effects on 
other sectors. Voluntary information sharing and industry-led initiatives, supported 
by government cybersecurity initiatives, comprise an essential first line of defense 
against such threats. 

We believe that the information sharing engendered to date by the IT-ISAC and 
other ISACs is an important step in enhancing public-private cooperation in com- 
bating cybersecurity’ threats. Yet, there remains room for progress and government 
and industry should continue to examine and reduce barriers to appropriate ex- 
changes of information, and build mechanisms and interfaces for such exchanges. 
This effort must involve moving away from ad hoc exchanges and toward exchanges 
that are built into business processes. This will require working toward a common 
understanding of the information that is valuable to share, when and how such in- 
formation should be shared, and the means by which shared information will be pro- 
tected. The keystones are trust and value — if an information sharing “network” pro- 
vides value and the participants trust it, then information will be shared. While the 
appropriate structure and form of this network are still evolving for both industry 
and government, we are eager to see a robust exchange of information on 
cybersecurity threats and will work with government, our industry partners, and 
with the ISAC community toward that goal. 

Where Government Policy Can Make a Difference 

While the sorts of technology-related steps outlined above can address many of 
the security challenges we face, technology alone cannot provide a complete answer. 
A comprehensive response to the challenges of cybersecurity depends on both tech- 
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nology and public policy — and critically, on how technology and policy interact with 
and complement one another. I want to outline a few specific areas where govern- 
ment policy can be particularly helpful in promoting cybersecurity. 

First, the government, through public attestations and its own security practices 
and procurement efforts, can help by recognizing IT products engineered for secu- 
rity. For example, the late Commerce Secretary, Malcolm Baldridge, was honored 
by having a quality award named after him and bestowed upon businesses that 
demonstrate outstanding quality in certain areas. We understand that the Depart- 
ment of Homeland Security is considering a similar award for high quality security 
solutions. We think this is a good idea and we are ready to support the government 
as it develops and implements this visible incentive. 

Likewise, the government can lead by example by securing its own systems 
through the use of reasonable security practices and buying products that are engi- 
neered for security. Where appropriate — such as for national security agencies and 
other agencies, issues, and services for which security is of the utmost importance — 
this should include purchasing products whose security has been evaluated and cer- 
tified under the internationally-recognized (and U.S. supported) Common Criteria 
for Information Technology Security. Such efforts to procure only security-engi- 
neered products, and specifically such clear support for the Common Criteria, will 
help strengthen the government infrastructure. In doing so, the government also 
will help set a high standard for security — one that ultimately is necessary to en- 
hance the protection of critical infrastructures. 

Second, public research and development can play a vital role in advancing the 
IT industry’s security efforts. Accordingly, we support additional federal funding for 
cybersecurity research and development (R&D), including university-driven re- 
search. The public sector should increase its support for basic research in technology 
and should maintain its traditional support for transferring the results of federally- 
funded R&D under permissive licenses to the private sector so that industry can 
further develop the technology and deploy it widely. 

Third, Microsoft believes that greater cross-jurisdictional cooperation and capa- 
bility among law enforcement is needed for investigating cyber-attacks. Cyber- 
attackers can easily transit any border, as demonstrated by the I LOVE YOU and 
Anna Kournikova viruses and the Solar Sunrise attacks, all of which were inter- 
national in scope. Enhanced law enforcement cooperation across local, state and 
international borders, along with increased law enforcement capability internation- 
ally, is vital for law enforcement to prevent and investigate cyber attacks. We there- 
fore support an international law enforcement framework that establishes minimum 
criminal liability and penalty rules for cyber crime so that cyber-attackers cannot 
escape punishment for cyber attacks against the U.S. by seeking refuge outside of 
our borders. 

Fourth, government has a critical role to play in facilitating information sharing. 
Government sharing its own information with industry is essential both to protect 
critical infrastructures and to build value in an information sharing network. In 
short, the government must be a provider as well as a consumer of valuable threat 
information. 

Finally, government must recognize that even with the creation of the Depart- 
ment of Homeland Security and the new National Cyber Security Division (NCSD) — 
both of which Microsoft supported — cybersecurity remains an interagency problem. 
Accordingly, one of the key roles for the new Department, and specifically for NCSD, 
will be building incentives for effective government action, helping other govern- 
ment agencies develop new business processes that support homeland security, and 
reducing government stovepipes. Without a multidisciplinary effort by both govern- 
ment and industry, we will not succeed. 

Conclusion 

Microsoft is committed to strengthening the security of our products and services 
and is equally committed to working with governments and our industry peers on 
security issues, whether by offering our views on proposed regulatory and policy 
measures or participating in joint public/private security initiatives. In the end, a 
coordinated response to cybersecurity risks — one that is based on dialogue and co- 
operation between the public and private sectors — offers the greatest hope for pro- 
moting security and fostering the growth of a vibrant online economy. 

Mr. Thornberry. Thank you. 

We will now turn to our next witness, which is — who has already 
been partially introduced, Whitfield Diffie is vice president and fel- 
low at Sun Microsystems, and has been one of, if not the key leader 
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in public key cryptography. And thank you for being here. You are 
recognized for five minutes. 

STATEMENT OF MR. WHITFIELD DIFFIE, CHIEF SECURITY 
OFFICER, SUN MICROSYSTEMS, INC. 

Mr. Diffie. Well thank you very much. 

When people look back on this era we are in, the end of the 
twentieth century, the beginning of the twenty-first, I think what 
is going to be remembered is the era of a transition from a physical 
society to a virtual society, an information society, an electronic so- 
ciety. And things that we now regard as fairly arcane security 
mechanisms will come to be seen as fundamental social mecha- 
nisms in the same way that interpersonal recognition, which is a 
security mechanism, is perhaps the most fundamental mechanism 
of society. 

Now, information security at this point is in my view 100 years 
old. There is a lot of prehistory, a lot of cryptography in the Renais- 
sance and things like that. But the critical thing was the introduc- 
tion of radio, because radio was the communications medium so 
valuable that nobody could afford to ignore it. And yet it was a me- 
dium in which all of the traditional security measures typified by 
the diplomatic pouch had no applicability at all. And consequently, 
cryptography was the only mechanism available to protect radio. 

Now there are some other more technical ones, but cryptography 
is the most general one. And that swamped the code clerks. 

First World War, they were working with techniques intended to 
encrypt a small volume of messages that were going to go into 
other protective channels. Suddenly they had to encrypt a vast 
fraction of what was communicated by radio. And this started a 
race to automation and a race to develop good cryptography that 
dominated information security for most of the twentieth century. 
I am pleased to say that I think that as a practical matter, we have 
largely solved that kind of problem. And I will just list one example 
of something that happened within the past few months. 

Within the past 4 years or so, the U.S. adopted a new national 
cryptographic standard. It is called the Advanced Encryption 
Standard. And it was actually formally adopted the 26th of Novem- 
ber, 2001. Unlike its predecessor, the data encryption standard, it 
was designed to be as secure as anybody could want. And that fact 
has been recognized this spring in the issuance of CNSS-15, policy 
memorandum from the Committee For National Security Systems, 
recognizing the AES is adequate to be used for the protection of 
classified national security data. 

Now, there is still a long way to go. Even in that direction we 
are a long way from having the first piece of comsec equipment 
that uses AES. But this is a crucial milestone. 

Later in the 20th century, communications security, cryptog- 
raphy centered security was joined by computer security. And in 
the first generation of this in the 1970s and 1980s, the envision 
was what was then called timesharing, lots of processes running on 
the same computer. That program was not entirely successful, al- 
though I am pleased to say that one of its best products is one of 
ours: Sun’s trusted Solaris system is used widely throughout the 
federal government for high security applications. 
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But what happens if a secure computing, more than if the prob- 
lem was solved, was that the problem changed? 

And it became a problem of network security, and we went into — 
curiously, one of the greatest developments in security is something 
Sun not originated but certain pioneered, which is client-server 
computing: dividing functionality out among the computers of a 
network so that one appeals to another for services. 

We introduced the Java programming language — a different style 
of writing programs with security very high among its qualifica- 
tions. 

Cryptography has become much more widely available and much 
better developed than it was back in the first period of computer 
security. 

And the cost of hardware has fallen so that we can support com- 
puter security better with dedicated hardware. 

In short, we have a whole new ball game. It also happens we 
have a whole new challenge. 

Today when we say, as say a lot at Sun, The network is the com- 
puter, we are not saying a shadow of what we will be saying when 
we say that five to 10 years from now. 

We are entering an era — the current buzzword is “Web services.” 
I don’t know if the buzzword will persist, but the concept will en- 
dure. 

Computers communicating with computers and subcontracting 
work to them. You need data mining done? You need a movie ren- 
dered? You go out and you look at yellow pages, you find a com- 
puter, a resource that has the equipment to do this, and you get 
it done, they return their bill. 

Suddenly we face a new set of security requirements and these 
are characterized by negotiation — one computer has to agree with 
the other what is going to be done; and by configuration control — 
a computer has to demonstrate to the other that it is capable of 
doing these things. 

So we are in the infancy of a computer-mediated society and 
economy. And one of the critical things we know: We have to be 
careful. The decisions we make in security today are going to influ- 
ence the structure of society all through the 21st century. 

So we need both not to rush into regulation, particularly not to 
respond to disasters by sudden patch-up regulations, but to exer- 
cise foresight in this area to devote efforts to studying this area 
and to plan well for the security measures we need. 

Very often the short sight of individual users drives security pol- 
icy. They prefer what appears to be convenience in applications 
over a sound structure that gives them secure operation because 
they don’t anticipate the inconvenience of being broken into and 
having lots of down time. I think that government will have a big 
but what must be a very carefully considered role to play in this. 

Security is going to be far more than just technology. It is going 
to influence law, it is going to influence business. The example I 
gave in my written testimony is: You capture the current con- 
tracting and subcontracting mechanism in things that happen in 
fractions of a second between computers. What are you going to do 
about adjudication? Nothing we have at the moment speaks to the 
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time scale and complexity of operation — of business operations — 
that is approaching. 

I would like to close with one concrete suggestion, prefaced with 
some very important thanks. There was a proposal within the past 
year ago to move the computer security division of NIST into the 
new homeland security department. And we at Sun and many in 
industry thought that this was ill-considered because that division 
had learned over its 15 years of operation after the Computer Secu- 
rity Act of 1986 to work with industry, to field standards that in- 
dustry actually accepted and used. 

And we feared that the move into a department with a more 
military and more classified and more closed style would lead to 
standards that were not so enthusiastically received by industry. 

So I would like particularly to thank representatives Boehlert, 
Goodlatte and Lofgren for their support in this matter. 

But I think the computer security division at NIST needs much 
more support and has now a vital role to play. My colleague spoke 
about the importance of common-criteria certification for security 
processes. And that is a very valuable mechanism; it is very much 
in need of improvement. 

The set of classifications within that system are complicated, 
hard for users to understand, hard for them to know the difference 
between something certified at EAL-2 and EAL-4. It needs to be 
simplified; evaluation needs to be improved and speeded up, but 
probably most important — something that the government is best 
placed to do — is that a validation mechanism for these ratings 
needs to be put in place, something that follows this history of eval- 
uated products, determines whether they are really functioning se- 
curely, and is able to speed back the record of break-ins or at- 
tempted break-ins to these products in order to improve the evalua- 
tion products and guarantee that when we have security certifi- 
cation it really means the things are secure. 

Thank you very much. 

[The statement of Mr. Diffie follows:] 

PREPARED STATEMENT OF MR. WHITFIELD DIFFIE, CHIEF SECURITY 
OFFICER SUN MICROSYSTEMS, INC. 

When historians write the history of the late 20th century and the early 21st, 
they are likely to see it as the period when the world moved from the physical to 
the virtual. When face to face meetings, written letters, and visits to showrooms 
were progressively replaced by phone calls, e-mail, and web browsing. As informa- 
tion, and with it human culture, come to travel more and more in a digitized, com- 
puter-mediated world, the computer and communications infrastructure must be ex- 
panded to provide the fundamental mechanisms needed to support the totality of 
human culture. One of these, widely recognized but little understood, is security. 

Information security: essentially, the protection of information in electronic media, 
is about a century old. The field has a long prehistory. Information has been pro- 
tected on paper and in crude telecommunication channels, like signal fires, for 
millenia but information security as we know it today dates from the development 
of radio and from the use of radio in WWI. 

The first major problem in information security was cryptography. Despite cryp- 
tography’s romantic aura and long history, prior to radio, cryptography was always 
a secondary security measure. A dispatch on paper might be enciphered but its pri- 
mary protection lay not in the encryption but in the careful handling of the diplo- 
matic bag. Although telegraph messages were frequently sent in code, the customers 
were relying more on the integrity of the telegraph companies than on the codes 
for security. 

The use of radio, particularly military radio in wartime, was different. Radio was 
so valuable that no one dared forgo its use. Prior to radio, Britain’s First Sea Lord, 
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who commanded the largest navy in the world had only a vague idea of where his 
ships were. He might dispatch a flotilla on a mission and not hear anything about 
their progress for weeks or months. Within a few years of the introduction of radio, 
the First Sea Lord could expect to reach any ship in the fleet within hours. Today, 
of course, with the exception of submarines, this process is virtually instant, like 
making any other phone call. 

The problem with radio from a security viewpoint is that everyone can listen to 
the radio and often the people you don’t want listening get better reception than 
the ones you do. This promoted cryptography from a secondary security measure to 
a primary one. It was the only security measure of any use in protecting radio 
transmissions and it is still the primary one. The result was to swamp the code 
clerks, whose hand techniques were designed to add extra protection to a small frac- 
tion of military traffic, not provide the primary protection to most of it. 

The result was the race to automate cryptography, and the resultant race to auto- 
mate cryptanalysis, that dominated cryptography throughout the 20th century. For 
half a century, military cryptography was dominated by rotor machines: 
electromechanical devices that embodied cipher alphabets in rotating wheels and 
automated the polyalphabetic ciphers that had been known since Renaissance Italy 
but had been too prone to errors to see extensive use. Mechanization reduced the 
errors, increased the speed, and allowed much more thorough protection than could 
be achieved by hand. 

In the 1930s, a new kind of rotor machine was developed in the US, one in which 
the wheels, of one rotor machine were moved by the actions of another rotor ma- 
chine. This machine, called Sigaba, was the most secure cryptosystem of its era and 
it appears that no Sigaba traffic was read in the WWII period. 

By the time of WWII, the US had secure cryptographic systems for protecting ten- 
characterper-second telegraph traffic but little ability to protect voice or other broad- 
er-band signals. The first secure telephone was developed during the war. The sys- 
tem, called Sigsaly, provided very secure, surprisingly comprehensible voice commu- 
nications with one severe drawback: the system occupied thirty-racks of equipment, 
weighed as many tons, and cost millions. At first, the only customers who could “af- 
ford” Sigsaly were Roosevelt and Churchill. Even though, Sigsaly’s were later pro- 
vided to major military commands, there were never more than a dozen of them. 
However limited in deployment, Sigsaly was proof of concept for secure voice and 
the need to develop higher speed cryptosystems dominated cryptographic develop- 
ment for decades. 

Although, like all important subjects, cryptography is still beset with profound un- 
solved problems, it is no longer the limiting resource in secure communication that 
it was for most of the 20th century. Good cryptographic systems are now available 
and the mathematical foundations on which they rest are widely understood. 

The new status of cryptography is exemplified by the US Advanced Encryption 
Standard (Federal Information Processing Standard 197). AES is the successor to 
the US Data Encryption Standard (FIPS-46) which was adopted in 1977. At that 
time, the National Security Agency, recognized the need for a cryptographic system 
to protect government information outside the national-security sphere. Because 
such a system could not achieve its objectives without being made public, NSA wor- 
ried that it would also be used by the enemies of the United States. The result was 
a compromise, a system that NSA considered strong enough for its intended applica- 
tion but weak enough that it would not present an insurmountable obstacle if NSA 
encountered a DES cryptogram that it felt sufficiently motivated to read. The devel- 
opment process, although formally open, was in fact closely held and the com- 
promise became the subject of a long-running controversy. 

When the DES came to the end of its useful lifetime in the late 1990s, the Na- 
tional Institute of Standards and Technology set out to replace it. This time the 
process was entirely different. After a public process of developing the requirements 
for the new algorithm, a solicitation drew fifteen candidates from around the world. 
The candidates were studied over a period of two years in a process that involved 
three public conferences. Five finalists were selected from the fifteen and then one 
winner was selected from the finalists. On the 26th of November 2001, an algorithm 
designed in Belgium was selected as the national standard of the United States. 

To those who had watched the evolution of US cryptographic policy over the pre- 
vious three decades, the AES seemed miraculous but an even more surprising turn 
occurred this spring, which was publicly announced in June. The Committee on Na- 
tional Security Systems of the Department of Defense issued Policy Directive 15, 
which authorized the use of AES (in approved implementations) for all levels of clas- 
sified national security information. It will be years before we are applying COTS 
infosec technology to the majority of our national security systems but we have just 
passed a essential way point on that road. 



12 


Although, unification of other aspects of cryptography have not reached the same 
level of standardization, key-management techniques based on the first generation 
of public-key cryptographic systems is in use for both government and private sector 
security. Second generation key-management techniques based on elliptic curve 
cryptosystems promises a greater degree of unification within the decade. 

In the latter half of the 20th century, cryptography was joined by another infor- 
mation security problem: secure computing. With the development of computers ca- 
pable of running more than one program at a time, came the problem of running 
two different programs with different security levels or different owners and pre- 
venting them from interfering with each other. In the 1970s and 1980s there was 
great optimism about the prospects of developing a multi-level secure operating sys- 
tem. 

This program called for extensive system specifications and formal verification 
that the systems met their specifications. This proved expensive and fewer systems 
emerged than had been expected. Among the successes is Sun’s Trusted Solaris, a 
high-security operating system that is widely used in DoD and the Intelligence Com- 
munity. In a reflection of the rising importance of security, the enhanced-security 
features of Trusted Solaris are being steadily integrated into the main-stream 
Solaris product and the two systems will be merged in the next major release. 

Despite such isolated successes as Trusted Solaris, the problem of secure com- 
puting has been transformed more than solved. In the 1970s an organization of 
moderate size, such as Rand or the MIT Lincoln Laboratory would have a small 
number of big computers, perhaps only one. Every program that was run would 
have to be run on the one machine. If it was so sensitive that it could not be run 
in the presence of other programs, for fear that they might be spying on it, it would 
have to pay the high price of having the machine to itself. 

As the seventies flowed into the eighties, two factors came together to change this. 
Computers got cheaper and became available at a variety of prices and a variety 
of levels of performance. Equally important, the ARPAnet, ancestor of the Internet, 
became available. This meant that a sensitive project no longer had to make ar- 
rangements for using a shared computer. It could purchase its own computer, appro- 
priate to its needs an budget, put the computer in a room, and lock the door. Its 
communications with the outside world, if it needed any, could be handled through 
network channels more easily controlled than the communication paths internal to 
an operating system. 

Client-server computing, the concept on which Sun was built, although rarely 
thought of as a security mechanism, has made a major contribution to security. In 
the network environment, a sensitive database can be isolated on a machine by 
itself, communicating witb the rest of the world through a network connection. En- 
forcing the databases’ access policies against users of other machines on a network 
is far easier than enforcing them against other users on the same machine. 

Another key success in computer security came with the Java language. In the 
1970s, DoD aspired to purchase “untrusted” applications, such as compilers and run 
them on classified data, in this case secret programs. Untrusted in this case means 
“uncleared.” The programs in question came from reputable software manufacturers 
but from manufacturers who did not have DoD facility clearances or cleared 
workforces. In the 1990s, this objective was magnified several fold. With the rise 
of the Internet, it became valuable for client computers to import applet programs 
in real time from servers. As the cost of putting up a server is small, the applets 
no longer could be counted on to come from reputable computer manufacturers. 
“Untrusted” had reached a new level; a workstation needed the ability to run pro- 
grams about which it knew nothing and get useful work out of them, without expos- 
ing itself to excessive risk. The Java solution is to write the programs in a portable 
language which is structured to allow the client machine to verify the structure of 
the incoming program before executing it. 

Given the substantial effort that has been devoted to computer security over the 
past thirty years, the mixed results of that effort, and the fact that the need for 
security is steadily increasing, it is reasonable to ask what the prospects are today 
for major improvement. If one answers, as I would, that the prospects are quite 
bright, one must also answer the question “Why?” 

As described above, the answer is that in large part, we are facing a new problem. 
The computer security problem seen in the 1970s has changed into a network secu- 
rity problem of the 21st century. Some problems have been solved, some problems 
remain, and many new problems have appeared. Equally important is the fact that 
new tools have become available. In the 1970s, cryptography was primitive by com- 
parison with its development today. Two aspects of cryptography especially crucial 
to computer security, public key cryptography and hashing functions were in their 
infancy. Equally important, the National Security Agency, whose monopoly of cryp- 
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tographic erudition was far greater then than now, was the major backer of secure 
computing research but discouraged the application of much cryptographic tech- 
niques to the problem in unclassified research. The final piece of the puzzle is the 
ever-decreasing cost of computing. It is now feasible to dedicate computing capacity 
to security in a way that was not feasible even a decade ago. 

An early example of a hardware-based approach to security problems is the 
domaining system of Sun’s E12K and E15K servers. These servers can assign proc- 
essors to processes and confine the resources available to those processes within a 
hardware-enforced domain. The effect is to combine much of the security advantage 
of running the process on an isolated computer with the advantage in cost and flexi- 
bility of running it on a shared computer. 

It is a fair summation of our present position in information security that we have 
an excellent toolkit in the cryptographic area and a moderately good one in the com- 
puter security area. Having good toolkits is not the same as having good security, 
however; if it were, the security of the cyberinfrastructure would be far better than 
it is. Much of what needs to be done can be characterized as routine. New code 
needs to be written with greater care than has often been customary, old code needs 
to be repaired, and the security mechanisms that we know how to build — keying in- 
frastructures, for example — need to be built, shaken down, and brought to a level 
of operational quality that allows us to depend on them. Other challenges loom on 
the horizon, however. 

For as long as I have known the company, Sun has had the slogan: “The Network 
is the Computer.” and every year the slogan becomes truer. For years, it has been 
difficult for me to detect whether files I was using were on my own desktop or 
stored on a server some distance away. More recently, it has become possible to call 
on specialized computing and storage processes outside my own machine. These 
more recent techniques go under the name “Web Services.” At present most uses 
of web services involve interaction of a program currently being used by a human 
being — most often a browser — with a remote website supplying a service. In the 
near future — five or ten years at the most — this will evolve into a primarily com- 
puter to computer activity. 

Today, the activities of both the public and the private sectors consists largely of 
business to business contracting and subcontracting processes. Some of these re- 
quire great imagination and will for the indefinite future be performed by humans; 
others are routine and will be automated at a steady rate. Computers needing serv- 
ices will consult “yellow pages” directories of available services; choose providers ac- 
cording to price and capability; send out work orders; receive their results; and pay 
their bills. 

Two sorts of web-based businesses are easy to foresee. The first are specialized 
businesses; businesses that offer a specific sort of service. They may have propri- 
etary algorithms for such computationally intensive activities as graphic rendering 
or datamining; they may have access to specialized data such as the results of phys- 
ical, biological, or social studies; they may have vast amounts of computing power. 
At present, Google provides an example of all three. It possesses vast amounts of 
computing power that it uses to build specialized databases, available to no one else, 
and it delivers information to its customers using specialized algorithms for both 
building and searching the databases. 

A second kind of business that is in its infancy is more general in character: util- 
ity computing. As a business, utility computing is rather like property rental. Many 
companies, rather than owning property, rent their offices and often subcontract to 
their landlords the provision of furniture, food, environmental controls, etc. As util- 
ity computing matures, a startup — based perhaps on development of a new 
datamining algorithm — will no longer need to raise sufficient capital to have the 
powerful computer required to do production runs for its customers. It can wait for 
work to come in, then turn around and lease computing capacity from a “computer 
cycle provider.” 

What sort of security measures will be required in this environment? They will 
parallel those of the current contractual mechanisms, particularly those employed 
for government contracts. When a system integrator contractor subcontracts the fab- 
rication of a part for a military aircraft to a machining business, it is trusting not 
only that the work will be done correctly but that the plans for the part will be re- 
turned and that the subcontractor will not make extra copies for competitors. In 
choosing its subcontractor, the system integrator will seek a provider with a suitable 
facility clearance. Contracting on this scale is generally for work lasting from days 
to years and often reflects long-standing business relationships. 

The computers will do it all faster. It is hard to predict exactly how far in the 
future this vision is but at some point, contracts for specialized data processing are 
likely to be negotiated and fulfilled in seconds. 
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The two problems that will be at the forefront of security research and develop- 
ment over the next decade are negotiation and configuration control. They will par- 
allel existing business functions but they will take place at much higher speed and 
without moment-to-moment human oversight. The circumstances will encorporate 
many mechanisms now in use such as reputation assessment (clearance, Better 
Business Bureau membership) but in a far less forgiving environment. When con- 
tracting goes badly at present, problems are generally referred to the courts. When 
contracting goes badly on the scale of seconds, what mechanism will step into the 
breach? 

As we move our economy and society further and further into computer mediated 
telecommunication channels, the role of cybersecurity in homeland security will 
grow steadily. There will not be general agreement on the proper course of action. 
Our decisions will advantage some legitimate parties and disadvantage others. The 
solutions to the problems that arise will thus be as much legal and political as tech- 
nical and will tax both our resources and our imaginations. 

Mr. Thornberry. Thank you, sir. We will now turn to Dr. Craig 
Lowery, who is chief security architect and a software architect and 
strategist at Dell Computers. 

Welcome, sir, you are recognized. 

STATEMENT OF DR. JAMES CRAIG LOWERY, CHIEF SECURITY 

ARCHITECT/SOFTWARE ARCHITECT AND STRATEGIST, DELL 

COMPUTER CORPORATION 

Dr. Lowery. Thank you Chairman Thornberry, Ranking Member 
Lofgren, members of the subcommittee. My name is Craig Lowery, 
software architect and strategist for Dell. 

We are very pleased to be here this morning, and we would like 
to wholeheartedly concur with your opening themes of partnership 
and consensus, because Dell believes that that is the best way to 
go about achieving more secure systems for everyone. Since every- 
one is using these systems, we all play a role. 

We see a universe of technology which has vendors and cus- 
tomers that are working in partnership together. It is not reason- 
able to think that one party or the other has a complete key to 
solving the security puzzle. 

Vendors bring products to market, and they must make reason- 
able allowances for security as part of the design of those products. 
And customers have a responsibility, too, in the way that they de- 
ploy those products. 

It is possible to create a product that is “secure,” when it is 
shipped as a single component, but when it is placed into an aggre- 
gate configuration it could very well be part of an insecure infra- 
structure that is created. 

So it is not a one-sided approach that should be considered to 
solving the security puzzle. It has to be partnership-and consensus- 
driven. One of the things that is defining about Dell as a company 
is its direct business model, which you may have heard about. 

If you haven’t, I will give you just a little bit of a glimpse into 
it, because it very much influences how we are approaching this 
problem, among others. 

The direct business model means that Dell believes that having 
direct relationships with our customers is the best way to go about 
delivering solutions to them, because we can hear directly from 
them the problems that they are having, they are trying to solve, 
the solutions that they need. 

One way to arrive at consensus of customer input, customer feed- 
back, is through standards. We are a very standards-oriented com- 
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pany. We prefer to deliver standards-based solutions, because we 
believe that that is, first of all, something that has gone through 
a consensus process, either formal or sometimes more informal, 
through user groups. 

We also see that that consensus process develops a standard 
which everyone understands, there are no surprises, and can be de- 
livered to, we can deliver products to that. That is very much in 
line with our direct business model. 

One of the concrete examples that I have for you this morning 
of this strategy at work is a new offering from Dell which is based 
on work that is been done by a group called the Center for Internet 
Security, or the CIS. 

The Center for Internet Security is a group of users across sec- 
tors of industry, government, education, finance and health care, 
who have gotten together their security experts and have pooled 
their knowledge of experience and best practices, the best way to 
go about securing things. 

And the product of this group is a set of things called bench- 
marks. These benchmarks are settings for pieces of software, such 
as operating systems, which the users that are members of the CIS 
agree are the best settings, according to their research and their 
work. 

At the request of our government customers, we have taken 
those settings for Microsoft Windows 2000 and we are now making 
those settings available direct from our factory, pre-installed, on 
certain products, specifically our Optiplex, our Latitude notebooks 
and our Precision Workstations. 

This is the direct result of our philosophy and the work of the 
consensus mechanism in the industry to bring about immediate 
changes into the security landscape at this time. 

We certainly see that security is a moving target, and that as 
things progress these improvements will appear not as a change to 
settings that we have to make, but that are going to be built di- 
rectly into software products, and we see that already happening 
at the source. 

We are also working in other areas to deliver more secure solu- 
tions to our customers at their request, things like smart cards, 
which are a form of authentication that has been requested by cus- 
tomers. 

We now have smart card readers built into our D series Latitude 
notebook computers, and also we have keyboards for our systems 
which read smart cards. 

We have biometric technology, which we have been evaluating, 
and we have decided that some of those solutions meet our require- 
ments and those of our customers, and we are now making those 
things available through our Software and Peripherals Depart- 
ment. 

Standard physical locks for chassis and racks and things like 
that are always something that we are attending to and making 
sure are securing the physical hardware, and new types of prod- 
ucts, for example, such as fire walls, which we are making avail- 
able through Dell to our customers so that they are able to get 
their security solutions, or most of their computer solutions, di- 
rectly from us. 
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So in summary, we do believe that security is best achieved in 
partnership and consensus, things we are very happy to hear that 
are being expressed here today. 

Our direct model, we believe, puts us in a position to really make 
use of standards and to help disseminate that kind of information. 
The CIS offering is a concrete example of that in action. 

We continue to evaluate best-of-breed solutions in the security 
space and bring them to market as our customers request them. 
Thank you for your time. 

[The statement of Dr. Lowery follows:] 

PREPARED STATEMENT OF DR. JAMES CRAIG LOWERY, PH.D. 

Chairman Thornberry, Ranking Member Lofgren, and Members of the Sub- 
committee, thank you for the opportunity to discuss Dell’s perspective on 
cybersecurity and the role of technology, specifically hardware and software security 
products. My name is Craig Lowery and I am the chief security architect in the Dell 
Product Group. 

Headquartered in Round Rock, Texas, a suburb of Austin, Dell was founded in 
1984 on a simple concept: that by selling computer systems directly to customers, 
Dell could best understand their needs and efficiently provide the most effective 
computing solutions to meet those needs. Today, Dell is the world’s leading com- 
puter systems company. The company employs approximately 40,000 team members 
around the globe. We design, build and customize products and services to satisfy 
a range of customer requirements from the desktop notebook, server, storage and 
professional services needs of the federal government agencies, to those of the larg- 
est global corporations, and to those of consumers at home. 

To fully appreciate Dell’s security strategy, one must understand Dell’s direct 
business model. We believe that the best customer solutions are most efficiently de- 
rived through direct relationships with our customers and suppliers. Our build-to- 
order system allows customers to order computers tailored to their needs, manufac- 
tured specifically for and delivered directly to them. We believe that customers re- 
ceive the best value from products built with standard technologies; to that end, we 
seek to foster standards throughout the industry to reduce cost and increase cus- 
tomer flexibility and choice. As I will explain, each of these facets of the direct 
model plays a key role in how Dell is approaching computer system security. 

Cybersecurity has become increasingly important for our industry due to the need 
to provide products to our customers to better protect their IT systems from cyber 
attacks and viruses. Until recently, most company security solutions have been pro- 
prietary and customized to fit their specific needs. As the need for IT security has 
grown from supporting specific applications to that of protecting critical IT infra- 
structure, our industry, including Dell, has pushed for standardization to make se- 
curity more affordable and widely available. 

As a technology vendor, Dell is committed to delivering value through reducing 
the costs of acquisition, deployment, interoperation and maintenance of our prod- 
ucts, including our security products. Dell believes that these benefits are best 
achieved through the benefits of industry standard technologies. Specifically, Dell 
believes that standards in the security arena are driving and will continue to drive 
these technologies to levels of maturity that make them more transparent to the 
end-user and thus suitable for widespread adoption in the industry. As these tech- 
nologies mature, Dell leverages the benefits of its direct model to bring these tech- 
nologies to market quickly and affordably. 

Securing information systems is only possible through partnership between ven- 
dors and customers. Security is a moving target, and the products and services ad- 
dressing security needs necessarily evolve as the landscape changes. Vendors are re- 
sponsible for bringing to market products that incorporate widely accepted security 
design goals. Customers are responsible for deploying the products in a manner con- 
sistent with effective security best practices. Vendors must be open to customer 
feedback to understand their security concerns, and customers must be diligent to 
provide that input. 

Dell is placing more and more emphasis on security as a chief design consider- 
ation in all of our products. Certainly as a hardware vendor, we are acutely aware 
of the need for physical security through mechanisms such as locks and detection 
devices. Our efforts to deliver more secure products extend beyond hardware. Since 
we custom-build the systems we ship, including factory installing operating systems 
and applications, we have the opportunity to continually improve upon the software 
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configurations we offer to customers. We work closely with software providers dur- 
ing their design and implementation phases. We are able to identify and integrate 
tested security components into our factory-installed software so that customers can 
enjoy the benefit of best solutions “out-of-the-box.” Pre-installed virus protection is 
one example. 

An important security benefit of our build-to-order system is that it reduces the 
time between when we make changes to our products in the factory, and the time 
a customer receives the product. Therefore, if we improve the security of a product, 
our system helps to minimize the lag time in getting it to the customer since there 
is no inventory that must first be moved in the distribution channel. 

Another example of creating an even more secure software configuration is a new 
Dell offering available through our custom factory integration unit. Dell is beginning 
to offer desktop systems installed with Microsoft Windows 2000 pre-set to the Cen- 
ter for Internet Security’s Level I benchmark. This is a separate offering from our 
“normal” Windows 2000 installation, which continues to be available. 

The CIS Level I benchmark is a consensus standard which the CIS considers the 
best and least restrictive security settings for Windows 2000. These settings were 
developed with input from government agencies, business, universities, and indi- 
vidual security experts. In providing the factory installed benchmark systems, Dell 
is responding to customer demand for a hardened operating system direct from the 
factory. Although it is designed for our public segment customers such as federal, 
state and local governments, this product can benefit any organization wishing to 
receive a certain level of security with a system directly from Dell. 

System BIOS passwords and hard-drive passwords continue to play an important 
role in security. For even more robust forms of authentication and access control, 
Dell now offers integrated smart card readers in our Latitude D-family notebooks 
as a standard feature, and in our smart card reader keyboard for desktops. In addi- 
tion, Dell offers biometric authentication solutions in the form of add-on peripheral 
devices. Dell is actively involved in new developments in wireless security standards 
such as Wi-Fi Protected Access, and the emerging 802. Hi standard. 

Through our software and peripherals department, Dell is able to provide cus- 
tomers with thirdparty solutions that meet their demanding standards, such as 
wireless products, firewalls, and security software. 

Again, security requires cooperation between vendor and customer. At Dell, we 
know our customers face many challenges when it comes to successfully deploying 
an IT infrastructure that is secure, usable, and manageable. We provide deployment 
and management assistance to our customers in several forms to help them in these 
efforts. 

In addition to telephone support, Dell provides access to our technical support web 
site. Premium technical support is available to customers requiring even faster re- 
sponse. Our engineers develop white papers and journal articles targeting many 
content areas, including computer system security. These articles are also freely 
downloadable from our web site at dell.com/powersolutions. We are actively engaged 
with security organizations such as the SANS Institute, the CERT Coordination 
Center, the Center for Internet Security, and the Free Standards Group. 

Dell also makes available pre-packaged and customized services, helping to en- 
sure consistent, repeatable processes for our customers. Dell’s service offerings in- 
clude everything from onetime services to deploy and configure, to fully managed 
solutions where we take on the day-today tasks of running your IT infrastructure. 
Security is one of many aspects we consider in providing these services to our cus- 
tomers. 

Dell is a security-aware and privacy-aware company. We know that security is of 
increasing importance to our customers, and we are striving to deliver more secure 
products and services, as well as those that are security-specific, as they become 
available. We deliver security solutions in a way that is consistent with Dell’s 
model: quality, low cost, easily integrated standards-based solutions that meet our 
customer requirements, delivered directly to them. We look forward to working with 
this Subcommittee as it considers ways to improve cybersecurity. 

Thank you again for inviting me to participate in today’s hearing and for seeking 
Dell’s perspective on cybersecurity. I would be happy to answer any questions. 

Mr. Thornberry. Thank you, sir. 

As my colleagues can tell, we have roughly divided up the wit- 
nesses into two groups. We have heard from three witnesses that 
are roughly in the field of products, and now we are about to turn 
to three that are roughly in the field of services although with 
these companies, clear lines are difficult to draw. 



18 


We will now turn to Jay Adelson, who is a founder and chief 
technology officer of Equinix, which is the largest independent, or 
neutral, provider of interconnection and data center services in the 
world. 

Welcome, sir. You are recognized for five minutes. 

STATEMENT OF MR. JAY ADELSON, CTO & FOUNDER, EQUINIX, 

INC. 

Mr. Adelson. Thank you. Chairman Thornberrry, Congress- 
woman Lofgren, distinguished members of the committee, I sin- 
cerely appreciate having the opportunity to be here today as a rep- 
resentative from Internet industry, and more specifically, the per- 
spective of critical Internet infrastructure, the Internet itself, net- 
work access points, or commonly known as Internet exchange 
points. 

As you said, my name is Jay Adelson. I am the founder and chief 
technology officer of Equinix. And the reason Equinix has a unique 
perspective on the issue of Internet security is, as you said, we are 
the largest neutral provider of interconnection. Equinix’s facilities, 
therefore, serve as the meeting places for all the various elements 
of Internet, ranging from enterprise users, large Internet Web 
sites, network providers, telephone carriers, cable companies and 
subscriber services. 

Much of the Internet industry knows us as an exchange point or 
NAP where most of the Internet traffic in the United States, or sig- 
nificant portions, converge as they pass from one network, such as 
AT&T, to another, such as AOL, as well as the place where impor- 
tant sites, such as Google, Yahoo, Paypal, IBM customers and oth- 
ers place their critical infrastructure. 

A good analogy for an exchange point is that we function as an 
international airport for Internet networks and services. And our 
airlines are networks and our travelers are data bits and bytes. 
There are 100 exchange points in the world bearing services and 
levels of security though, in common, they all facilitate this ex- 
change of traffic. 

While my distinguished panel members are part of well known, 
large vendors and network service providers, the chances are, while 
you may not have been exposed to Equinix in the past, you stand 
to receive e-mail that traverse our exchange points and surf Web 
sites housed in our facilities. The very fact that Equinix is a phys- 
ical part of the Internet infrastructure, where such a large percent- 
age of the Internet itself, happens is not as well known. It illus- 
trates the fact that the Internet itself is a massive structure inter- 
connecting independent entities very difficult to accurately meas- 
ure, monitor, and international in scope. 

Equinix, like international airports, focuses heavily on the phys- 
ical security of our data centers. And we have instituted check 
points, audit trails, people traps, steel cages, layers of biometric se- 
curity, et cetera, and very strong security operations procedures. 
Our customers demanded these in the late 1990s when we built 
them. And we based the security design and requirements from our 
financial service customers and recognize that there was no phys- 
ical security standard on which to build and base our new design. 
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We were not able to find any of these reference standards to the 
level of security operation procedure we felt, and our customers 
felt, were appropriate for such an important hub as Internet traffic. 
It didn’t exist. So, therefore, we made a conscious decision, as part 
of our business plan, to be the most physically secure exchange 
point in the United States. 

But this model is fairly unique in that market forces allowed us 
to develop this new approach to providing heightened physical se- 
curity. 

A balance must be achieved between network service providers, 
hardware vendors and their users. Ultimately, users must bear, as 
my colleagues suggested, the largest responsibility for protecting 
their assets. Network service providers and software and hardware 
vendors supporting the Internet industry can only empower the 
Internet users with systems and services that enabled secured use 
of the Internet. 

There are strong economic limitations to the scope of physical 
and logical protection network service providers can reasonably im- 
plement. But at a minimum, a baseline standard of configuration 
and administration can be met. 

The cyber and physical security best practice, developed by the 
Network Reliability and Interoperability Committee, are a good ex- 
ample of how infrastructure operators are able to provide baselines 
for all network operators to follow. These range from information 
about network configuration to background checks for employees in 
critical facilities. And as a nation, we must continue to advance re- 
search and development to increase the embedded security level as 
well as support these standards at the network level and with edge 
users. 

There are a surprisingly high number of autonomous networks 
and systems that affect the health of the Internet. A common mis- 
understanding is that only a few very large networks, known as 
backbones, create the largest impact. 

As incidents of the past have taught us, there are many more 
players, enterprises, domain name service providers, foreign net- 
works and small regional networks that can impact network sta- 
bility and security. 

These entities are scattered all over the world, their security 
policies and procedures are as diverse as the networks and services 
that they operate. 

While information sharing with the federal government is a 
newer concept in the Internet arena, information sharing is fairly 
robust within the Internet technical community, and it has to be. 
We are all customers and providers to one another, and a major 
failure on the Internet impacts all infrastructure operators at the 
bottom line. 

We communicate with our account reps, our technical help desk, 
our emergency contacts, to restore services as quickly as possible. 
It is not clear, however, how to integrate the federal government 
into the commercial information-sharing exchange. 

The government has an opportunity to act as a means to spread 
the word during a crisis, and tools such as the Cyber-Warning In- 
formation Network are a good start, although the original intent of 
these systems must not be diluted. 
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Opening the communication channels is critical when every sec- 
ond counts, but choosing what data is appropriate through ISAC- 
to-ISAC communications, versus leaving it open, limits their effec- 
tiveness. 

The federal government must do more to expand information- 
sharing with infrastructure owners, and establishing the National 
Cyber-Security Directorate at the Department of Homeland Secu- 
rity is a good first step. 

In the event of a cyber-crisis, it is important for the Department 
of Homeland Security to understand that the infrastructure own- 
ers, the network operators in particular, are the first responders. 

Speed is of the essence in responding effectively to these types 
of crises, and therefore adding communications steps and informa- 
tion management runs the risk of slowing down the response. 

For infrastructure operators, the Internet is first and foremost a 
commercial enterprise, and thus restoration of service is critical in 
order to meet the service level agreements with customers, as well 
as to support the Internet commerce generally. 

This must be recognized as processes are developed, and, as well, 
centralization of all this information will improve accuracy in com- 
munication. The methods of information distribution must be rel- 
atively instantaneous and flat in hierarchy. 

In conclusion, Equinix strongly supports the work of the Depart- 
ment of Homeland Security in working to promote both physical 
and cyber-security for our nation’s networks. And I very much ap- 
preciate the opportunity to testify here today, and would be happy 
to answer questions that the committee may have. 

[The statement of Mr. Adelson follows:] 

PREPARED STATEMENT OF MR. JAY ADELSON 

Chairman Thornberry, Congresswoman Lofgren, distinguished members of the 
Committee; I sincerely appreciate having the opportunity to be here today as a rep- 
resentative from Internet industry, and more specifically, the perspective of critical 
infrastructure of the Internet itself, the Internet Exchanges, or Network Access 
Points (NAP). 

My name is Jay Adelson, and I am the Founder and Chief Technology Officer of 
Equinix. The reason Equinix has a unique perspective on the issue of Internet secu- 
rity is that we are the largest independent, or “neutral,” provider of interconnection 
and data center services in the world. Equinix’s facilities serve as the meeting 
places for all the various elements of the Internet, ranging from enterprise users, 
large Internet web sites, and network providers such as telephone carriers, cable 
companies and subscriber services. 

Much of the Internet industry knows us as a NAP operator, or Network Access 
Point, where most of the Internet traffic in the United States converges as it passes 
from one network, such as AT&T, to other large networks, such as UUNet or AOL, 
as well as the place where important web sites, such as Google, Yahoo!, PayPal, or 
IBM customers, place their critical infrastructure. 

A very good analogy for a NAP operator is that we function as an international 
airport for Internet networks and services, though our airlines are networks, and 
our travelers are the data bits and bytes. There are over a hundred NAPs through- 
out the world, varying in services and levels of security, though in common they all 
facilitate the exchange of Internet traffic. 

While my distinguished panel members are part of well known, large network 
service providers, chances are that while you may not have been exposed to Equinix, 
you have sent or received e-mails that have traversed our exchange points, and 
surfed websites housed in our facilities. The very fact that Equinix, as a physical 
part of the Internet infrastructure, where such a large percentage of the Internet 
passes, is not as well known, illustrates the fact that the Internet itself is a massive 
structure of interconnecting, independent entities, very difficult to accurately meas- 
ure or monitor, and international in scope. 
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Role of Industry and Equinix In Securing Cyberspace 

The Internet exists on multiple layers, both the physical and the logical. At the 
physical level, the industry has a long way to go to secure itself. While some infra- 
structure operators provide advanced cyber and physical security, some operators 
have not yet incorporated security into their basic business plan. This provides the 
Internet industry as whole with much room for improvement. 

Equinix, like international airports, focuses heavily on the physical security of our 
datacenters, and have instituted checkpoints, audit trails, man traps, steel cages, 
five layers of biometric security, high-availability video, concrete embankments and 
strong security operations procedures. Our customers bave demanded this physical 
security from our facilities. When we built them in the late nineties, we based the 
security design on the requirements from our financial services customers, and rec- 
ognized that there was no physical security standard upon which to base our new 
design. We were not able to find any reference standard for the level of security op- 
erations procedure we felt, and our customers felt, was appropriate for such an im- 
portant hub of Internet traffic. It simply didn’t exist. 

Equinix, therefore, made a conscious decision as a part of our business plan to 
be the most physically secure NAP operator in the United States. However, our 
model is fairly unique in that market forces allowed us to develop a new approach 
to providing heightened physical security for critical Internet assets. At this point, 
Equinix’s customer base represents over 90% of the Internet routing table, as over 
120 of the largest and most prolific Internet networks use our locations as their crit- 
ical hubs. 

Equinix, as a central exchange point between networks, will continue to do our 
part to physically secure the Internet assets. At the logical level, the implementa- 
tion issues are international in scope, with literally thousands of independent play- 
ers requiring education and motivation to adopt modem security practice. 

Industry Responsibilities 

A balance must be achieved between network service providers, hardware ven- 
dors, and their users. As secure as a network may be from compromise, or as many 
features that a hardware or software vendor places in their products, ultimately 
users must bear the largest responsibility for protecting their assets. 

Network service providers, and software and hardware vendors supporting the 
Internet industry can only empower the Internet’s users with services and systems 
that enable secured use of the Internet. There are strong economic limitations to 
the scope of physical and logical protections network service providers can reason- 
ably implement, but at a minimum, a base-line standard of configuration and ad- 
ministration can be met. 

The cyber and physical security best practices developed by the Network Reli- 
ability and Interoperability Committee (NRIC) are a good example of how infra- 
structure operators are able to provide baselines for all network operators to follow. 
These range from information about network configuration to background checks for 
employees in critical facilities. However, best practices are often difficult and costly 
for smaller networks, enterprises, universities, governments, or individuals to imple- 
ment. As a nation we must continue to advance research and development to in- 
crease our imbedded security level, at the network level and with edge users. 

Information Sharing 

There a surprisingly high number of autonomous networks and systems that af- 
fect the health of the Internet. A common misunderstanding is that only a few, very 
large networks, commonly known as backbones, create the largest impact. As inci- 
dents of the past have taught us, there are many more players, including enter- 
prises, content providers, domain name server operators, foreign networks and small 
regional networks, that can have significant impact on network stability and secu- 
rity. Recent research Equinix conducted shows evidence of there being over 13,000 
entities, not including network service providers, in the global Internet that manage 
their own multi-network connectivity, injecting their network information into the 
global Internet. These entities are scattered all over the world, and their security 
policies and procedures are as diverse as the networks and services they operate. 
While abuse from one of these entities can be mitigated through good security prac- 
tice, a large number of them are as relevant in information sharing as the network 
operators themselves. 

While information sharing with the federal government is a newer concept in the 
Internet arena, information sharing is fairly robust within the Internet technical 
community. It has to be — we are all customers and providers to one another, and 
a major failure on the Internet impacts all infrastructure operators at the bottom 
line. We communicate with our account representatives, with our technical help 
desks, with our emergency security contacts, to restore service as quickly as pos- 
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sible. What is not yet clear, however, is how to integrate the Federal government 
into the commercial information sharing exchange. 

How the Federal Government Can Help with Information Sharing 

The Federal Government has the opportunity to act as a means to spread the 
word during a crisis as a central moderator. Tools such as the Cyber Warning Infor- 
mation Network are a very good start, although the original intent of these systems 
to be a tool during a crisis for the Internet community must not be diluted. Opening 
the communication channels is critical when every second counts. Choosing what 
data is appropriate for ISAC to ISAC communications, versus leaving it open, limits 
their effectiveness. 

The Federal government must do more to expand information sharing with Inter- 
net infrastructure owners. Establishing the National Cyber Security Directorate at 
the Department of Homeland Security is a good first step. However, for the Federal 
government to become a trusted partner for information sharing purposes, it will 
have to develop business plans and models to highlight how and where the govern- 
ment is best suited to assist the Internet infrastructure in protecting and restoring 
itself. 

The Role of the Department of Homeland Security 

The DHS has two unique and immediate functions that it should provide to infra- 
structure operators. First, DHS should provide a platform for information to be 
shared, amongst infrastructure sectors, and to the states. Second, DHS should be 
working in partnership within industry to promote the development of cyber secu- 
rity standards and baselines, to ensure a national approach to cyber-security. Clari- 
fying the Federal government’s role as the “Public” partner in our Public — Private 
Partnership, cited in the National Strategy, to Secure Cyberspace, will be a critical 
task for the new Cyber Security Directorate. A network operator, content provider, 
or NAP operator all have different roles to play in a crisis, and the value of the re- 
sponse will be contingent upon the DHS having a clear understanding of what data 
is appropriate for which group, and what action, if any, the government is capable 
of taking. 

In the event of a cyber-crisis, it is important for the DHS to understand that the 
infrastructure owners, the network operators in particular, are the “first respond- 
ers.” Speed is of the essence in responding effectively in these types of crisis, and 
therefore adding communication steps and information management runs the risk 
of slowing down the response. For infrastructure operators, the Internet is first and 
foremost a commercial enterprise, and thus restoration of service is critical, in order 
to meet service level agreements with customers, as well as to support Internet com- 
merce generally. As a result, crisis communications at the technical level between 
the largest infrastructure operators is generally very good. Trust and experience has 
played a large role in increasing the response capabilities of the largest infrastruc- 
ture operators, and the government will have to develop trust and experience as it 
becomes a part of cyber-security. This must be recognized as processes are devel- 
oped, as while centralization of the information will improve accuracy, the methods 
of information distribution must be relatively instantaneous and flat in hierarchy. 
Working with industry as the “first responder” will be an immediate challenge, and 
a new paradigm for DHS that requires dedicated effort. 

In conclusion, Equinix strongly supports the work of the Department of Homeland 
Security in working to promote both physical and cyber-security for our nation’s net- 
works. I very much appreciate the opportunity to testify today, and would be happy 
to answer any questions that the Committee may have. 

Mr. Thornberry. Thank you, sir, appreciate it. Frank Ianna has 
been with AT&T for more than 30 years, including most recently 
as president of AT&T network services. 

Earlier this year he announced his intention to retire, but they 
can’t let him go. And so we are glad you are here within us today, 
sir, and now you are recognized for five minutes. 

STATEMENT OF MR. FRANK IANNA, PRESIDENT, AT&T 
NETWORK SERVICES, AT&T CORPORATION 

Mr. Ianna. Chairman Thornberry, thank you very much, Con- 
gresswoman Lofgren and members of the subcommittee. Let me 
summarize my testimony with several points, and then rec- 
ommendations under some of those points. 
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First, along the idea of cyber and physical security. Cyber-threats 
are particularly challenging to the service industry for four rea- 
sons. 

First, attackers do not need a physical presence or a large invest- 
ment in a physical presence to cause harm. They could do it re- 
motely. 

Point number two is that all vendors of products and services, 
hardware and software, whether they are switching elements or 
computing elements, have critical roles to play in enhancing the 
overall cyber-resiliency of mission-critical services. 

And several recommendations can spring from this, such as soft- 
ware and equipment vendors and network operators and standards 
bodies should have products that have built-in baseline security 
features. With system administration, any interaction of these 
should be made simple. 

Service providers and vendors should collaborate also to develop 
an overall security management system so that we could see very 
instantaneously the traffic anomalies happening on networks, then 
we could respond very quickly too. 

And the government can stimulate development of more secure 
products by funding research and development of inter-operable 
software and hardware standards to provide network management 
described above. 

The third point is that there is extensive interconnection, as 
some of my colleagues have mentioned, this is very nature of com- 
munications among telcom and IP providers and data network pro- 
viders. 

And each of these carriers are interconnected to form a service 
for a consumer or a business. 

We must help each other. And we have to communicate with 
each other, our operations centers, on a continuous basis. A signifi- 
cant failure in one network can cause a significant failure in an- 
other network. And in many cases, the symptoms of a failure in 
one network actually show up first in the other network. 

Carriers today do share network disruption information directly 
between their operation centers, ours, the global network operation 
center in Bedminster and all the other carriers that we interface 
with, and with the Telecom Information Sharing and Analysis Cen- 
ter, the Telecom ISAC, today. 

For example, the slammer worm that we detected on January 25, 
2003 was the fastest-spreading worm in history, but industry 
worked together with the Telecom ISAC and with government to 
share our mitigation plans, our strategies and our notification pro- 
cedures. 

Point number four, insider threats to our network should not be 
discounted. A malicious insider may easily circumvent cyber-secu- 
rity protections employed to discourage outside threats. So a rec- 
ommendation here would be to have infrastructure providers and 
governments work together to develop a process to ensure that all 
employees and contractors with access to critical facilities undergo 
background checks, screening and National Crime Information 
Center reviews. 

Now, the next point is talking about public and private partner- 
ships. What we are saying here is that there is a good opportunity 
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to have a public/private partnership with the government. The 
telecom ISAC, for example, is a good example of this, it is the num- 
ber one long-standing public/private partnership in telecom. 

Point number six, is companies will only engage in sustained and 
meaningful information sharing when there is a compelling busi- 
ness case to do so and only in a trusted environment. And this is 
for two related reasons. The government should consider adopting 
the NCC funding model to enhance effectiveness of other ISACs 
where the government is actually funding some of the infrastruc- 
ture for us to communicate amongst each other. 

For example, the round-the-clock staffing is not borne exclusively 
by the private sector, it is borne by the government. And the gov- 
ernment partners provide value back to the industry. Two exam- 
ples here, the government should provide value to other ISACs in 
the form of useful and timely threat information, and supporting 
industry’s response recovery efforts during the crisis. 

The NRIC, as my colleague here mentioned, the National Reli- 
ability and Interoperability Council, which is really the sixth incar- 
nation of that council created every 2 years, is a long-standing 
partnership that the FCC and the Telecom industry started in 
1992. 

The FCC — and point number seven — has wisely recognized that 
to be successful, the effort must be: number one, voluntary; number 
two, developed by industry experts; and number three, adaptable 
to different network providers to reflect differing architectures and 
approaches. What constitutes a network failure in a wire line voice 
network is very, very different than what constitutes a failure in 
an IP-provided network, for example. 

Two final points here. Number one, information about physical 
locations and capabilities of network infrastructures must be care- 
fully safeguarded. We have seen instances where much public in- 
formation has been put out and there are lot of requests for infor- 
mation. We recommend here that particularly we work with the 
Department of Homeland Security and particularly the states. 

We may not be only getting one request from the federal govern- 
ment, and we actually could be getting 50 requests from different 
states to provide very macro and very specific threat and vulner- 
ability information. And we believe that the Department of Home- 
land Security should be the focal point for coordinating process 
amongst all federal agencies and states so that we ensure that the 
information is properly managed. 

And then finally we should expand our public and private part- 
nership. Private sector critical infrastructures providers must have 
the opportunity to provide input to portions of the new national 
emergency response plan that address how the private sector would 
respond in a national crisis. I would like to thank you for allowing 
me to make these comments, summarizing the positions that AT&T 
has from our experience in these industries. Thank you very much. 

[The statement of Mr. Ianna follows:] 

PREPARED STATEMENT OF MR. FRANK IANNA 

Thank you for this opportunity to testify on behalf of AT&T regarding industry 
views on cyber security. My name is Frank Ianna, and I am the outgoing President 
of AT&T Network Services. My testimony will describe AT&T’s views on several as- 
pects of this very important issue. 
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AT&T is among the premier voice and data communications companies in the world, 
serving businesses, consumers, and government. The company runs one of the most 
sophisticated communications networks in the U.S., backed by the research and de- 
velopment capabilities of AT&T Labs. A leading supplier of data, Internet and man- 
aged services for the public and private sectors, AT&T offers outsourcing and con- 
sulting to large businesses and government. With approximately $37 billion of rev- 
enue, AT&T Has about 40 million residential customers and 4 million business cus- 
tomers who depend on AT&T for high-quality communications. As such, we have an 
overarching interest in preserving and promoting a safe, secure and robust infra- 
structure that will be a key enabler of economic growth and prosperity of the United 
States. We therefore very much appreciate the opportunity to offer tHese comments 
today. 

Cyber vs. Physical security: 

Sound security practices obviously must address both physical risks and cyber risks. 
Cyber security risk management is more focused on the “logical” or user’s view of 
the way data or systems are organized as compared to physical security risk man- 
agement of our network which is topology/technology-focused. But cyber threats are 
particularly challenging for at least four key reasons. First, attackers do not need 
physical presence to do significant harm, and a cyber “saboteur” could launch at- 
tacks from anywhere. Nor does it take a large investment to launch a cyber attack, 
only a PC and access to the Internet. 

Second, the availability and deployment of cyber security capabilities is not only a 
service provider issue, but requires the involvement of product developers, vendors, 
and end-users. Software code is becoming increasingly complex and the number of 
lines of code is multiplying at an incredible rate. Thus no single entity has complete 
control over the security of its product or service. The very structure of to day’s 
hearing reflects that reality - that all vendors of products and services have critical 
roles to play in enhancing the overall cyber-resiliency of mission-critical services. In- 
dustry, standards bodies, software and equipment vendors, network operators, and 
end-users of all products and services that make up the Internet should ensure that 
these products Have built-in baseline security features and that these features are 
appropriately configured and kept up-to-date. System administration of current 
cyfier products is much too difficult. Vendors need to be encouraged to simplify their 
products and employers need to increase the level of expertise required to perform 
this vital task. 

One specific area in which service providers and vendors could cooperate that would 
make a vast improvement in cyber-security is in the development of an overall secu- 
rity management system that would provide detailed traffic statistics to the Net- 
work Operations Centers of major IP backbone providers about the transmission of 
packets on our networks and detect and respond to anomalies, as we do today in 
our public switched telecommunications network. 

Government can also play a key role in stimulating development and deployment 
of more secure products and services, not by trying to impose compliance at some 
arbitrary level, but by funding research and development of interoperable software 
and hardware standards to provide the network management that would enable net- 
work operators to detect and stop malicious attacks in the core network. Govern- 
ment can also create strong incentives for the deployment of these capabilities 
through its purchasing power as a user of more secure cyber capabilities. 

Third, because there is extensive interconnection among telecommunications and IP 
networks, carriers must assist one another because a significant failure in one net- 
work can affect another network. In fact, telecommunications carriers today share 
network disruption information directly between Network Operations Centers, and 
with the sector Information Sharing and Analysis Center (ISAC). The Slammer 
worm, which was detected on January 25,2003, was the fastest spreading worm in 
history. This worm affected more than 90 percent of vulnerable hosts within 10 min- 
utes, far more quickly than Code Red of 2001. Industry participants worked together 
through the Telecom ISAC and with the government to share mitigation plans. The 
good news is that the Slammer worm had no payload; the bad news is that a similar 
worm could be launched with a malicious payload. We need to be better prepared 
by building more secure technology and employing better processes to support secu- 
rity controls for the entire network. 

Lastly, though cyber threats can originate anywhere, the insider threat should not 
be discounted, because a malicious insider may easily circumvent cyber security pro- 
tections that are deployed to discourage outside threats. To address this issue, pro- 
viders of critical facilities must work with others in industry, and with government 
at all levels to develop and employ a standard process to ensure that all employees 
and contractors with access to critical facilities undergo appropriate background 
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checks, screening, and National Crime Information Center reviews. Government can 
play a key role by helping to develop the most efficient process, and by acting as 
a centralized resource to coordinate requests from industry for reviews. This is good 
and will help. 

Now, having said that, I want to add that those service providers of critical infra- 
structure have had to solve the problem of access long before it became prominent 
following the events of September 11. Many people enter and leave critical infra- 
structure facilities every day. The location may be any location where multiple pro- 
viders have placed facilities and equipment. These individuals may be communica- 
tions technicians from different service providers who are maintaining equipment 
housed in the building. There are others who also may need to gain access to a 
building, such as power contractors, janitors, vending machine operators, copying 
machine technicians, etc. During the day, any number of non-communications-re- 
lated individuals go in and out of telecom buildings. One solution that AT&T has 
implemented is to escort all non-badged individuals who need access to critical loca- 
tions. AT&T has made strong security a top priority for many years, but because 
we are so extensively interconnected with other infrastructure operators, we must 
also closely cooperate with our peers, arguably to a greater extent than in any other 
infrastructure. Our industry has of necessity been a leader in the information shar- 
ing process long before the President’s Commission on Critical Infrastructure Pro- 
tection and PDD-63 recommended the formation of sector-specific, information shar- 
ing forums in May, 1998. 

Developing an effective “public-private partnership": 

As you know, most of the country’s critical infrastructures are owned and operated 
by the private sector, thus the private sector must play a key role in safeguarding 
those infrastructures. With cyber security, the private sector has an even more im- 
portant role, because the responsibility for implementing adequate security meas- 
ures falls not only on core infrastructure providers like AT&T, but also on govern- 
ment and business enterprises that deploy and rely on cyber information systems 
to perform business-critical functions. For these reasons, much has been said about 
the need for an effective “public-private partnership” to share security-related infor- 
mation and to address security-related threats and vulnerabilities. These are laud- 
able goals, and in fact, AT&T and other telecommunications companies have been 
working together to identify and address security risks, and to develop security-re- 
lated best practices in partnership with government, for many years. Two of the 
most significant partnerships are noteworthy. 

The Telecom-ISAC 

Much of the benefit attributed to a partnership between government and industry 
involves the need to encourage robust, timely, two-way information sharing about 
threats, vulnerabilities, intrusions and anomalies. New protections provided in the 
recently enacted Homeland Security Act significantly reduce the possibility that sen- 
sitive information shared voluntarily for these purposes might be disclosed publicly. 
Nevertheless, companies will only engage in sustained and meaningful information 
sharing when there is a compelling business case for doing so, and only in a trusted 
environment. We at AT&T have a lot of experience in this area. Telecommunications 
carriers have shared information informally with the National Communications Sys- 
tem (NCS) since 1984. In 1991, the National Security Information Exchange (NSIE) 
was established as a forum in which government and industry could share informa- 
tion in a confidential, trusted environment. Since March of2000, the NCS’s National 
Coordinating Center (NCC) has served as the Information Sharing and Analysis 
Center, or “ISAC” for Telecommunications. Telecom-ISAC participants, including in- 
dustry and government representatives, gather and share information on threats, 
vulnerabilities and intrusion attempts. Information is analyzed to help avert or min- 
imize disruptions to the telecommunications infrastructure. The results are aggre- 
gated and disseminated as provided by agreement among the ISAC members. In ad- 
dition, the NCS hosts the NCC and is the lead agency for the telecommunications 
support functions under the Federal Emergency Response Plan. In that capacity, the 
NCC is specifically charged with assisting in the coordination of telecommunications 
restoration and provisioning during national disasters through government and in- 
dustry cooperation on a 24-hour basis. NCS and the telecommunications carriers 
also collaborated on the development of the “Government Emergency Telecommuni- 
cations Service” or “GETS”, which provides government and industry personnel with 
key national security or emergency preparedness responsibilities with the ability to 
gain priority access to the public switched telecom network in times of significant 
network congestion. 

There are two related reasons why we believe that the telecom-ISAC has been par- 
ticularly successful. First, the Telecom-ISAC is funded largely by government ap- 
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propriations, so the core infrastructure and round-the-clock staffing is not borne ex- 
clusively by the private sector, as is the case with other ISACs. Second, government 
“partners” provide value back to the industry participants. First, the information- 
sharing goes two ways. The government routinely provides specific threat and alert 
information to industry representatives. Second, in real crises, the government NCC 
representatives quickly engage as ombudsmen on behalf of industry, helping indus- 
try gain access to impaired locations for purposes of restoration and recovery, and 
they represent the needs of concerns of the industry in terms of coordinating re- 
sponse. On September 11, 2001, the NCC helped network providers gain access to 
Ground Zero to restore communications, including arranging for military air trans- 
port for some of our key disaster recovery personnel who were stranded in Cali- 
fornia when commercial aircraft were grounded. The ability of government to deliver 
this kind of assistance, proven repeatedly in crises of differing degrees over the 
years, has led to an atmosphere of trust and cooperation in which we in industry 
have felt comfortable sharing sensitive information with the government and with 
our competitors in times of crisis. 

This level of trust is essential because in order for information about security con- 
cerns and incident response activities to be useful to companies and to the govern- 
ment, it must be shared quickly. This need for expediency results in reports that 
are initially incomplete and potentially inaccurate, and there can be unintended con- 
sequences if the information is not treated with care. This trusted environment has 
also allowed industry and government partners to engage in periodic “exercises” to 
test the potential impact of different threat scenarios based on accurate network 
data from multiple carriers. 

The National Reliability and Interoperability Council (NRIC) 

Another example of the partnership that has worked and should be the model for 
any government and industry problem solving is the Network Reliability and Inter- 
operability Committee (NRIC). First organized by the FCC in 1992, the NRIC was 
established following several telecom outages to study the causes of the outages and 
to make recommendations to reduce their number and effects on consumers. Since 
then, some 50 telecom carriers, equipment manufacturers, state regulators and con- 
sumers have participated. This has been a standing committee for over 10 years, 
and is a forum where industry and government come together for the good of the 
industry to work specific issues. Y2K was one such issue. NRIC VI is focused on 
Homeland Security with teams addressing both Physical and Cyber security. The 
product is a set of best practices (proven processes used in the industry) for service 
providers and equipment/software vendors to use to mitigate risk of attacks. 

Another feature of NRIC is the monitoring and analysis of the performance of the 
public switched network based on reliability data collected during the last 10 years. 
The Network Reliability Steering Committee NRSC, a voluntary industry com- 
mittee, reviews each outage report submitted to the FCC, looks for trends, publishes 
the results quarterly and annually, and looks for ways to improve the collective per- 
formance of the network. A new phase of this work, currently underway in the 
NRIC, is collecting similar outage data on wireless, cable and ISP networks in order 
to conduct data analysis, enable performance improvement, and develop new best 
practices. In leading this effort, the FCC has wisely recognized that to be successful, 
it must be: 1) voluntary; 2) developed by industry experts; and 3) adaptable by dif- 
ferent network providers to reflect differing architectures and approaches. 

Safeguarding sensitive proprietary information: 

As a private sector operator of a major part of one of America’s most important crit- 
ical infrastructures, we carefully safeguard all information about the physical loca- 
tions, capabilities and components of our world-wide infrastructure. While some se- 
curity experts discount the “security through obscurity” approach to risk manage- 
ment, I disagree. A July 9 Washington Post article describing the ability of a GMU 
graduate student to amass copious quantities of sensitive information about a vast 
array of critical infrastructure facilities highlights the danger of making sensitive 
information too easily available. In fact, we would suggest that if possible, this stu- 
dent’s report be provided by the Department of Homeland Security to the appro- 
priate industry body, presumably the Telecom-ISAC, for analysis of its accuracy. It 
is in keeping with national security interests to assess the extent to which a moti- 
vated individual can develop a map of the infrastructure through compilation of 
publicly available information. The findings would be very useful in developing safe- 
guards to prevent the continued proliferation of such information. 

While this kind of threat clearly is of major importance for physical security, it also 
presents a very significant, indirect threat from a cyber-security perspective because 
the information could be used to launch simultaneous cyber and physical attacks, 
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which could result in exponential reductions in network capacity and potentially 
dramatic customer impact. 

Despite these concerns, we are increasingly solicited by various governmental enti- 
ties for very specific, extremely sensitive, proprietary information about our capa- 
bilities and maps of our network facilities and routes. States are attempting to com- 
pile lists of the critical assets of AT&T and other carriers for purposes of critical 
infrastructure protection. We are concerned about the breadth, open-endedness, lack 
of specificity, potential cost, and ability to safeguard and keep confidential any infor- 
mation that is provided. Neither states nor the federal Government should expect 
this information from network operators. First, security-related information that is 
provided to government entities outside the federal Department of Homeland Secu- 
rity may not be adequately protected from federal and state Freedom of Information 
laws. Even more importantly, it is not clear that information collected on a whole- 
sale or generalized basis advances homeland security in any way, and may create 
greater risks to homeland security. In fact, proper analysis of any potential vulner- 
ability requires a detailed assessment of the specific facilities of concern, the serv- 
ices they support, and the impact mitigation strategies applicable to those services. 
Instead of making arbitrary requests for massive downloads of extremely sensitive 
information, states should work with the Department of Homeland Security (DHS) 
and directly with critical infrastructure providers to determine what specific infor- 
mation is really needed and to establish coordinated processes and procedures. The 
DHS should be the focal point for the coordination across the regions, states, and 
municipalities, as well as across key industry sectors, to ensure that the information 
is useful, responsive, and properly managed. 

Expanding and refining the “public private partnership” 

We understand that the Department of Homeland Security, in coordination with the 
nation’s governors, is updating and expanding the Federal Disaster Response Plan 
into a National Response Plan, and that private sector critical infrastructure pro- 
viders will have the opportunity to provide input to portions of the plan that address 
how the private sector would respond in a national crisis. We applaud this ap- 
proach, and look forward to continuing to work with the country’s leaders, both pub- 
lic and private sector, to ensure that the private sector’s views are considered and 
our capabilities are reflected in the evolving plan. I would also like to emphasize 
that a significant challenge during the recovery from the attacks of September 11 
was physical perimeter control procedures that were changed as the responsible gov- 
ernment authority shifted from local to state to federal control. As NSTAC rec- 
ommended to the President, I also recommend that Congress task the Department 
of Homeland Security to partner with industry in developing a physical perimeter 
control plan to be part of the National Response Plan for use by all government au- 
thorities. 

AT&T would like to particularly thank Chairman Thornberry, Congresswoman 
Lofgren and the Members of this Subcommittee for holding a hearing on this impor- 
tant issue. I offer AT&T’s assistance to the Committee as well as my own, and I 
would be glad to answer any questions you may have. 

Mr. Thornberry. Thank you, sir. 

Finally, batting cleanup as they say, Tatiana Gau is chief trust 
officer and senior vice president at America Online. Thank you for 
being here and you are recognized for five minutes. 

STATEMENT OF MS. TATIANA GAU, CHIEF TRUST OFFICER 

AND SENIOR VICE PRESIDENT, AOL CORE SERVICES, AOL 

TIME WARNER 

Ms. Gau. Thank you, Chairman Thornberry, Representative Ses- 
sions, Representative Lofgren and members of the subcommittee. 
Thank you for the opportunity to testify before the subcommittee 
on the important issue of cybersecurity. 

My name is Tatiana Gau, and I am the chief trust officer and 
senior vice president, America Online, where much of my focus is 
on cybersecurity, consumer protection, privacy and online safety. 

At AOL we are committed to playing the leadership role on the 
issue of security. Employing our technology, tools and educational 
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resources we strive to provide secure products and services, to en- 
sure a safe and secure environment online, and to educate our 
members to help them protect themselves. 

As part of these efforts, we have developed extensive plans to ad- 
dress security issues in our products and services, our network and 
on the Internet. 

AOL is working hard to implement recommendations in the 
President’s national strategy to secure cyberspace that apply to our 
service. This strategy lays out some very important steps that the 
private sector should take and that AOL is undertaking to protect 
consumers. 

We have designed elements of the next version of our software, 
AOL 9.0 Optimized, to fit the recommendations in the strategy. 
AOL embraces the partnership between government and private 
sector envisioned by the strategy, and we are committed to working 
with our vendors and competitors to strengthen security at the net- 
work and the end-user level. 

Online security is an ongoing process. 

At AOL, network security is an important part of the cyber safe- 
ty equation. In order to prevent denial-of-service attacks and other 
intrusions, AOL, like many other ISPs, has integrated dynamic de- 
nial-of-service mitigation protection at all levels of our system 
which help us protect against attempted attacks. 

We monitor our network for viruses and take both proactive and 
reactive measures to prevent, detect and eliminate them. 

AOL also employs significant protections to safeguard access to 
member data. And we have incorporated many new safety and se- 
curity features in our next client software, which is expected to be 
available later this summer. 

These cutting-edge safety and security features include: a free 
firewall for broadband users provided in partnership with Network 
Associates; free and premium antivirus services which are auto- 
matically updated every time a user logs on to AOL; advanced 
spam filters; and computer checkups that enable our members to 
diagnose and fix security problems within their systems. 

Through easy-to-use, behind-the-scenes protective measures and 
checkups, we are helping our consumers help themselves, espe- 
cially in instances where the user may not know how to install or 
update security settings on their own. 

Clearly no tools or technologies are useful unless consumers 
know about them and know how to use them. That is why AOL 
also undertakes significant effort to provide a wide range of edu- 
cational resources. 

For example, AOL’s safety and security area online includes spe- 
cific information about the security features that AOL provides and 
tips on how members can protect themselves against scams and vi- 
ruses as well as how to protect their credit card numbers and pass- 
words. 

It also hyperlinks members to industry collaborative Web sites, 
like Stay Safe Online, GetNetWise, the FTC’s information security 
Web page, for other specific suggestions and reinforcement of our 
messages. 

In addition to informing our members about security risks and 
solutions, we recognize that online leadership means taking on re- 



30 


sponsibilities beyond the AOL community. To that end we have un- 
dertaken numerous initiatives such as joining with other leading 
private-sector companies to form the National Cybersecurity Alli- 
ance, in partnership with the federal government. 

The Alliance Web site, www.staysafeonline.info, provides clear 
and concise consumer tips on information security as well as secu- 
rity background papers and research studies. 

Just last month, in response to an Alliance study, and as part 
of our ongoing educational outreach, we launched a media cam- 
paign to inform high-speed users about the dangers of an unpro- 
tected broadband connection. The primary goal of this unprotected 
broadband media campaign has been to reinforce the message that 
Internet users need to be cyber secure citizens and ensure that 
their computers cannot be hijacked by hackers to engage in cyber 
crime. 

Many of the initiatives I have outlined here involve close co- 
operation with our partners in industry and government and could 
not succeed without the existence of reliable processes for sharing 
information. Internet attacks can come from any part of the net- 
work of networks that constitutes the Internet and come in many 
different changing forms. 

For this reason, AOL strongly supports the development of infor- 
mation-sharing and analysis centers — ISACs — and through these 
and other fora actively engages in sharing information about cyber- 
threats and-attacks. 

And, because cyber-attacks can happen quickly and at any time, 
all ISPs should have a 24/7 point of contact within their company 
to work with other ISPs, other providers and governments to re- 
spond to potential cyber-threats. 

We believe that government can play a valuable role working 
with the private sector in encouraging dialogue among all industry 
players to promote information sharing and helping to educate con- 
sumers and businesses. We look forward to working with the De- 
partment of Homeland Security to achieve this goal, and we ap- 
plaud the creation of the National Cybersecurity Division last 
month to continue and expand on many of these public-private 
partnership objectives. 

Thank you for the opportunity to be here today. 

[The statement of Ms. Gau follows:] 

PREPARED STATEMENT OF MS. TATIANA GAU 

Chairman Thornberry, Representative Sessions, Representative Lofgren, and 
Members of the Subcommittee, on behalf of America Online, Inc., I would like to 
thank you for the opportunity to testify before the Subcommittee on the important 
issue of cybersecurity. My name is Tatiana Gau, and I am the Chief Trust Officer 
and Senior Vice President at America Online, Inc., where much of my focus is on 
cybersecurity. I oversee the integrity of the user experience, consumer protection, 
privacy, online safety, accessibility, community standards and policy, as well as cri- 
sis management and coordination for all of the company’s brands. 

At AOL, we are committed to playing a leadership role on the issue of security. 
Employing our technology, tools, and educational resources, we strive to build secure 
products, provide a safe and secure environment within which to surf the Internet, 
and educate our members to help them protect themselves. As part of these efforts, 
we have developed extensive plans to address security issues in products, our net- 
work, and on the Internet. 

To succeed in the area of security, we work with our members to give them the 
tools and knowledge that they need to protect themselves. We cooperate with other 
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ISPs, mailers, and members of the computer industry on our plans and initiatives. 
We also work closely with the FTC, FCC, and other federal and state entities. Be- 
cause of the nature of the Internet, we believe that only through cooperation among 
all the parties can we properly address cybersecurity as a whole, both for our mem- 
bers and the public in general. 

AOL is working hard to implement recommendations in the President’s “National 
Strategy to Secure Cyberspace” that apply to our service. This Strategy lays out 
some very important steps that the private sector should take and that AOL is un- 
dertaking to protect consumers. As I will describe, we have designed several fea- 
tures of the next version of our software, AOL 9.0 Optimized, to fit the recommenda- 
tions in the National Strategy. AOL embraces the partnership between government 
and the private sector envisioned by the National Strategy, and is committed to 
working with our vendors and competitors to strengthen security at the network 
and end-user levels. 

AOL’S COMMITMENT TO SECURITY 

At AOL, safety and security are our top priorities. We have worked hard to de- 
velop a culture within the company where the starting point for all of our products 
and services is safety and security. However, online security is an ongoing process. 
It means providing consumers with easy-to-use security technologies, educating con- 
sumers about what to do to help keep their machines and the rest of the online com- 
munity secure, controlling the use of our networks and keeping them safe, keeping 
personal information private, avoiding scams, and educating consumers about safe 
computing practices. Because we recognize that safety is one of the keys to instilling 
consumer confidence in the online medium and is critical to the continued growth 
and expansion of the Internet, we are working continuously to safeguard our mem- 
bers’ accounts and computers and our infrastructure. 

The AOL approach to consumer security is therefore threefold, with a focus on: 
1) building more secure products and technology, 2) providing state-of-the-art secu- 
rity tools to our members, and 3) educating consumers-both at AOL and beyond-to 
keep security in mind while surfing the Internet. In each of these areas, we work 
with others in industry and our friends in the government in a partnership aimed 
at providing a secure network for all users. 

1. BUILDING SECURE PRODUCTS AND TECHNOLOGY 

Our company strives to develop and deploy the best security technology available. 
The AOL brand includes many products and services that many people do not real- 
ize are part of AOL, including AIM, WinAmp, and Netscape. We have invested in 
all of these products and services with the aim to provide the best security tech- 
nology available for our subscribers. 

We believe that network operators must make security a top consideration in 
every decision about their networks. We believe that they should monitor their net- 
works for intrusions, apply all security patches for their software in an expeditious 
fashion, and employ a variety of other applicable best practices. 

At AOL, network security is an important part of the cybersafety equation. We 
monitor our network for viruses and take both proactive and reactive measures to 
prevent, detect, and eliminate them. We have a dedicated team of network security 
specialists who are on call 24 hours a day, seven days a week to protect the security 
of our infrastructure. Moreover, AOL member-to-member communications take place 
within a controlled environment, and are facilitated over our highly secure data 
transit network. 

In order to prevent denial-of-service attacks and other intrusions, AOL has inte- 
grated denial-of-service mitigation protections at all levels of our system, which help 
us protect against attempted attacks. AOL is no stranger to the cybersecurity fight. 
We are under almost constant attack from hackers and spammers who target our 
networks. To combat these attacks, AOL and other ISPs have designed Intrusion 
Detection Systems (IDS), which unobtrusively monitor corporate networks in real 
time for activity such as known attacks, abnormal behavior, unauthorized access at- 
tempts, and policy infringements. These systems can be used proactively to block 
certain types of infections and attacks. For example, ISPs can be configured to rec- 
ognize and block inbound traffic that could otherwise infect AOL’s corporate data 
systems. IDS also can be used to detect computer compromises through signatures 
that identify known hostile traffic patterns. When these compromises are detected 
in AOL’s network, the IDS system generates an alert to the AOL security staff, 
which responds immediately. 

When file attachments containing new viruses are reported to AOL by our mem- 
bers, a signature is built and passed on to anti-virus software vendors and our own 
IDS machines so that the viruses can be detected in subsequent attacks. We alert 
our customers as to how they can prevent further propagation of a virus and reach 
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out to other providers where we detect abnormal Internet traffic that may be gen- 
erated by a virus. 

AOL also employs significant protections to safeguard access to member data. 
AOL keeps passwords strictly confidential; verification of screen names and pass- 
words is performed on AOL’s secure servers. We recognize that a sound security sys- 
tem involves not only use of tools such as firewalls, intrusion detection systems, and 
anti-virus software, but that our employees play an integral role in protecting secu- 
rity. To this end, access to member data is granted on a need-to-know basis, and 
employees are extensively trained and screened prior to being granted access privi- 
leges. We also conduct periodic internal auditing of network records of data access 
to detect and promptly address suspicious activity. 

2. PROVIDING OUR MEMBERS WITH SECURITY TOOLS 

We are particularly proud of the safety and security features of our new client 
software, AOL 9.0, which is expected to be available later this summer. These cut- 
ting-edge safety and security features include a free firewall for broadband users, 
free and premium anti-virus services, advanced spam filters, and a computer “check- 
upt’ that enables our members to diagnose and fix security problems within their 
systems. Some of these features have already been launched but will come together 
as a complete package in AOL 9.0. 

To assist both our narrowband and broadband members, AOL runs a virus scan 
on all e-mail attachments that it receives from the Internet or that are uploaded 
from our members. If a problem is detected and we can fix the filet we do so and 
deliver it to the addressees. If it is a Trojan horse, something that by its very nature 
cannot be fixed, we return the e-mail (but not the attachment) to the sender with 
a warning. However, e-mail attachments are only one way that a computer can get 
infected with virus. AOL, therefore, has a premium anti-virus offering that, after 
downloading a small program, will guard a subscriber’s computer from viruses on 
floppy disks or CDs. In addition, every time a subscriber signs on to AOL, the virus 
definition file is updated with tbe latest virus definitions — the most important step 
in protecting your computer because more than 250 new viruses are released on the 
Internet every month. 

In addition, AOL is providing broadband members with a customized firewall to 
guard against hackers and other unauthorized intruders by helping build a wall 
around the member’s computer. The wall, when properly configured, blocks access 
to sensitive files, financial records, and personal data stored on the member’s com- 
puter. AOL has teamed with Network Associates to provide free firewall protection. 

We strongly believe that all users, whether an AOL member or a user of another 
service, should install, regularly update, and run anti-virus software at least once 
a week. If the user has broadband, he should also install and run a firewall. These 
two steps alone would dramatically increase the security of consumers’ computers. 

In addition, AOL has built in an array of security features to address the growing 
problem of spam. AOL already blocks as many as 2.4 billion spam messages in a 
single day. To empower our members and to track down and block spammers more 
quickly, we provide users with a “Report Spam” button on the AOL 8.0 software, 
which gives us rapid reports of spam that evades our filters. Building on the “Report 
Spam” feature and based on extensive member feedback, AOL 9.0 will contain un- 
paralleled spam fighting tools that will make it easier for members to manage spam 
and to protect themselves from unwanted mail. These tools include very advanced 
filters, as well as a feature that will block images and URLs from unknown senders 
unless a member chooses to see them. This feature will help ensure that spammers 
cannot force e-mail that could compromise the security of members’ computers. We 
also are working closely with Congress on legislative solutions to spam. 

AOL 9.0 also empowers users to be proactive toward security by providing for 
computer check-ups. Through these easy-to-use check-ups and behind-the-scenes 
protective measures, AOL can diagnose and fix security as well as connectivity prob- 
lems on a member’s computer. We help the member help themselves, especially in 
instances where the member may not know how to install or update security set- 
tings on their own. 

3. EDUCATING CONSUMERS AT AOL AND BEYOND 

AOL devotes significant time and energy to providing a wide range of well-placed 
education tools and resources that our members would find difficult to avoid. Be- 
cause our members spend an average of 70 minutes per day online with AOL, we 
have ample time to remind them about security, and we do. This time online also 
has implications for the safety of the infrastructure. With more people staying on- 
line longer, those computers can be used to launch a distributed denial-of-service at- 
tack. 

For this reason, AOL spends considerable resources to highlight safety and secu- 
rity information available on the AOL service. First, members can easily reach safe- 
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ty, security, and privacy information on the service with a toolbar button-which is 
always right in front of the member. Second, we have promoted and will be pro- 
moting even more educational material on spam and Internet scams with our Wel- 
come Screen space. A recent Welcome Screen promotion on scam e-mails had the 
highest click-through of any Welcome Screen promotion (including those on Britney 
Spears) until we started our current promotion on spam. Spam is currently the 
number one area of interest to our members. 

One important feature of our service is its Safety, Security, and Privacy area. 
Member security begins with educational tools that are clear, easy to find, easy to 
use, and easy to customize. Collectively taking care of our community, this site 
urges members to “protect your home computer and the nation’s Internet infrastruc- 
ture.” The site includes specific information about how members can protect them- 
selves against scams and viruses, as well as how to protect their credit card num- 
bers and passwords. It also hyperlinks members to industry collaborative sites like 
“StaySafeOnline,” “GetNetWise,” and “Site-Seeing Tips: Travel Insurance for Cyber- 
space” for other specific suggestions and reinforcement of our messages. 

Another key feature of our service is AOL Keyword: Help. This feature provides 
a resource for members who need assistance on any topic, including security. This 
process is easy to navigate, clear and simple to understand. At Help, one of six list- 
ed topics is “Online Safety.” Clicking this link gives the member online safety sub- 
topics to choose, including information on protecting your password, avoiding com- 
puter viruses and spotting scams and schemes. Clicking any of these choices gives 
the member a menu of related short, simple, useful articles such as “Password Re- 
quests in E-mail,” and “Password Stealing Schemes.” 

In addition to providing many avenues for our own members to be fully informed 
about security risks and solutions, we recognize that online leadership means taking 
on responsibilities beyond the AOL community. AOL feels keenly an obligation to 
use our resources wisely for the benefit of all consumers in the online world. To that 
end, we have undertaken numerous initiatives. 

For example, we have joined with other leading private sector companies to form 
the National Cyber Security Alliance, a unique partnership with the federal govern- 
ment that fosters awareness of cybersecurity through educational outreach. The Al- 
liance website, http://www.staysafeonline.info, provides clear and concise consumer 
tips on information security. AOL is proud to have participated in the design of that 
site, to be hosting it on our web servers, and to be dedicating substantial resources 
toward driving traffic there. 

To gauge consumer attitudes toward and readiness regarding cybersecurity, AOL 
has commissioned studies independently and with others in industry to help identify 
areas where efforts and initiatives can further enhance security. We use the results 
of these studies to tailor solutions to members’ attitudes and practices. A recent 
study conducted by the Alliance demonstrated that the overwhelming majority of 
broadband consumers lack basic protections against the dangers of an always-on 
connection to the Internet. The study revealed that most consumers do not realize 
that they lack those protections or that their computers and personal information 
are at risk. 

In response to this study, and as part of our ongoing educational outreach, we 
launched a major campaign in June to inform high-speed access users about the 
dangers of an unprotected broadband connection. The primary goal of this Unpro- 
tected Broadband media campaign has been to reinforce the message that Internet 
users need to be cybersecure citizens and ensure that their computers cannot be hi- 
jacked by hackers to engage in cybercrimes. 

4. THE IMPORTANCE OF INFORMATION SHARING 

Many of the initiatives we have outlined above involve close cooperation with our 
partners in industry and government and could not be successful without the exist- 
ence of reliable processes for sharing information. Because Internet attacks can 
come from any part of the network of networks that constitutes the Internet and 
come in many different, changing forms, information sharing regarding security 
threats is essential to good cybersecurity. For this reason, strongly supports the de- 
velopment of Information Sharing and Analysis Centers (“ISACs”), and through 
these and other fora actively engages in sharing information regarding cyber threats 
and attacks. 

This cooperation has proven very important to the continued stable operation of 
the Internet. For example, in February of 2000, the ISP industry worked together 
to combat the largest attack on the Internet to date by a single individual in Can- 
ada who was able to organize a large scale denial-of-service attack on several large 
websites, temporarily knocking them out of service. As the attack occurred, the 
large players in the ISP industry quickly communicated with each other, through 
informal technical contacts, to isolate and locate the source of the attacks. As a re- 
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suit of the industry’s quick response, service to the websites was restored in a mat- 
ter of hours, and the functionality of the Internet as a whole was never interrupted. 

This type of response is typical in the ISP industry, and these well-established 
informal procedures and responses proved to be effective in remedying subsequent 
attacks on the infrastructure, such as NIMDA and Code Red viruses. 

When our IDS system detects or we receive reports of new viruses, we build a 
signature and pass along to anti-virus software vendors as well as our own IDS ma- 
chines. We also reach out to other ISPs when we detect abnormal traffic patterns 
that may reflect a virus or hacker attack, and have a Cybersecurity team on call 
24 hours a day, seven days a week available to address indications or reports of se- 
curity threats. Indeed, because cyber attacks can happen quickly and at any time, 
we believe strongly that all ISPs should have a similar 24/7 point of contact within 
their companies to work with other ISPs to respond to potential network abuses. 

Information-sharing can also help on the law enforcement side of the 
cybersecurity equation. AOL works closely with law enforcement and other govern- 
ment agencies to deal with threats to the critical infrastructure, even when those 
threats may not directly affect AOL or our members. AOL has a dedicated team of 
professionals, including former prosecutors, who work with law enforcement in in- 
vestigations of cybercrimes, including hacking and other security threats. We co- 
operate with authorities not only in responding in a timely fashion to their requests 
for information during an investigation, but also pro actively in alerting law enforce- 
ment to potential network threats. AOL has worked closely with government and 
law enforcement to identify and locate major hackers whose actions have threatened 
the Internet, including the creator of the infamous Melissa virus. 

We look forward to working with our colleagues in industry and government to 
build upon these existing mechanisms for cooperation and information-sharing, and 
to ensure that the lines of communication are open and clear. 

THE ROLE OF GOVERNMENT AND PUBLIC-PRIVATE PARTNERSHIPS 

We believe that government can work with the private sector in the following key 
areas of cybersecurity: 1) encouraging dialogue among all industry players to pro- 
mote informationsharing; 2) educating the public about staying alert to potential 
network abuses; and 3) promoting active cooperation between industry and govern- 
ment in finding and apprehending hackers. Many of the initiatives we outlined 
above have involved close cooperation between government and industry players in 
these areas. 

With responsibilities for cybersecurity now coming under the primary purview of 
the Department of Homeland Security’s Directorate for Information Analysis and In- 
frastructure Protection, we applaud its creation of the National Cyber Security Divi- 
sion (NCSD) last month and believe it can continue and expand on many of these 
public-private partnership objectives. We look forward to working with the NCSD, 
particularly as it seeks to: 

• identify risks and help reduce vulnerabilities to government’s cyber assets 
and coordinate with the private sector to identify and help protect America’s 
critical cyber assets. As previously stated, government can play a very valuable 
role in keep the lines of communication open and clear about cyber threats and 
cybersafety; 

• oversee a consolidated Cyber Security Tracking, Analysis & Response Center 
(CST ARC), which hopefully will serve as an effective, single point of contact 
for the federal government’s interaction with industry and other partners on a 
24x7 basis. The CST ARC should work closely with existing ISACs and should 
seek to develop tools to increase communications among all players; and 

• create cybersecurity awareness and education programs and partnerships 
with consumers, businesses, governments, academia, and international commu- 
nities. In coordination with the National Cyber Security Alliance and its 
StaySafeOnline campaign, and other organizations, the NCSD should seek to 
advance the development and expansion of education programs without delay. 

We look forward to seeing DHS’s execution of the actions and recommendations 
outlined in the National Strategy to Secure Cyberspace, and will support those ef- 
forts as we continue to work closely with government and law enforcement in mini- 
mizing threats to our cybersecurity. 

CONCLUSION 

We applaud the Subcommittee for its examination of these issues as companies 
such as ours undertake significant efforts on behalf of our members and the Inter- 
net as a whole. We will continue to work hard to implement recommendations laid 
out in the National Strategy in our products and our outreach initiatives, and en- 
courage other companies to do so as well. We are deeply committed to addressing 
cybersecurity in partnership with government and with our suppliers and others in 
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our industry. We look forward to continuing to work with Congress, the Administra- 
tion, and others in industry toward ensuring cybersecurity. 

Mr. Thornberry. Thank you. 

It is a little bit frustrating from this side of the dais because I 
think the subcommittee could spend an entire hearing with each of 
you. And yet what we are trying to do is also get our arms and 
brains around the larger problem, the overview. And so we appre- 
ciate each of you being here today. 

I want to mention before we turn to questions that toward that 
end this subcommittee is sponsoring, with CRS, a workshop on 
cyber-security, and I would encourage all members to have their 
staff members attend. It is Monday, July 21, in the Cannon Caucus 
Room. Ms. Lofgren and I have sent information on this to each of 
your offices. We have some fine folks who are there and I would 
recommend that you send your people. 

I would like to start with a kind of a broad overview question ad- 
dressed to each of you. And a number of you have talked about this 
in your statement. But, again, in the interest of trying to see if 
there is consensus and in broad form where we go, I would like for 
each of you to briefly address this question. We are not going to 
have time to get all into it, but we will go back. 

And here is, I guess, my question. The market is driving each of 
you towards some measure of greater security. First question is, 
are you comfortable that that market-induced level of security is 
sufficient for our nation’s security or is something more required 
than where the market is going to take you? 

Secondly, if you think something more is required — and I don’t 
assume that — but if you think something more is required, then 
just in rough outline what is the federal government’s role in 
achieving that extra measure beyond which the market allows you 
to go. 

Again, I would ask each of you to be relatively brief in your an- 
swer, because I want to turn to other folks, but that is kind of the 
big question that this subcommittee is grappling with. And so I 
would like to just go down the line. 

Mr. Reitinger, if you would start? 

Mr. Reitinger. Thank you, Mr. Chairman. I will try to be very 
brief. 

I think the market is going to go a long way. This is a very inno- 
vative industry. And as you heard from the panel today, across the 
industry we are seeing security innovation. 

It is possible that in selected areas the market will not go as far 
as the nation needs for national or homeland security purposes. I 
have two points on that. 

One, you can’t look at that broadly, though. In other words, the 
market may not go far enough in a particular place, or in another 
particular place or sector. So I think it is less a broad question and 
more a particularized question. 

Second, it is dynamic. In other words, the question is not where 
is the market now, but where is the market going and where do 
we need to be? Do we need to look at the direction we are going 
in. 

Second point, even if the market is not going to go as far as we 
want to go, I would urge policy makers to move in as, I believe my 
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estimable colleague Whit Diffie said, as tailored a fashion as pos- 
sible. Just because the market may not go as far as you need for 
national security doesn’t mean to leap to regulation or some other 
mandatory step. 

I think one of the critical functions for the new Department of 
Homeland Security is to take a very close look at where the market 
is going, figure out what it is going to do, where there may be gaps, 
and then figure out the best and least intrusive way to close that 
gap. And I think some of the suggestions we would have I stated 
in my written statement and I outlined for the committee and 
won’t repeat. 

Thank you. 

Mr. Thornberry. Thank you. 

Mr. Diffie? 

Mr. Diffie. I think I will take it for granted that there is some 
role for government in this and just spend a moment or two just 
looking at what that might be. 

I think it is important for the government to do those things that 
it is uniquely qualified to do. So, for example, the government has 
access to information that is not available or not as readily avail- 
able in the private sector. And so, as I said in my testimony, I be- 
lieve that a follow-up mechanism for measuring the actual security 
of systems in operation should be used to validate the certification 
mechanisms. 

This turns on the fact that the intelligence information needed 
to do that is very hard for industry to get because individual pieces 
don’t want to share it and they share it more readily with the gov- 
ernment. 

I also believe the government has played a very important role 
in standardization. I cited the advanced encryption standard. If it 
is anything like as successful as its, I believe, more controversial 
predecessor, the data encryption standard, that will be something 
that the fact the U.S. government took this on as a standard will 
have a transforming effect. 

Finally, there is government’s incomparable role as a customer, 
both in the sense that the government could perhaps show more 
foresight in putting security forth as a requirement for the systems 
that it uses but also in a unique ability to engage in certain large 
purchases, so to speak. So, one of the problems — we have had a 
long discussion of why public key infrastructure has not developed 
as well as many of us hoped. And I believe at root that is a capital 
development problem. That is to say, like a telephone infrastruc- 
ture, a keying infrastructure becomes more valuable, the more of 
it there is. And so it is hard to get it started. 

So, if you contrast general government and civil sector keying ac- 
tivities with those of the Department of Defense, which has a fo- 
cused mechanism for putting out up-front development costs, you 
see that they got much better results in a shorter period of time. 

So I think the government needs to consider what major steps 
like that it might take. 

Mr. Thornberry. Thank you. Dr. Lowery. 

Dr. Lowery. I am wondering if there will be much left to say by 
the time you get to the end of the row because many of the themes 
that you have heard expressed so far to my right we also concur 
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with. In particular, government’s role as a customer is one that we 
see as extremely important. You have a lot of opportunity to give 
us input through our direct relationship with you as a customer of 
Dell, for example, to tell us what it is that you want. 

And the CIS benchmark offering is a prime example of this in 
action. This is a result of government customers asking for that. 
So, as a customer, I think you have immediate impact to how in- 
dustry works through market forces. 

The coordinating role of government also should be reemphasized 
because since we do believe in standards or where this is going to 
happen, the consensus that needs to be driven here, a coordinating 
role is important to make that happen. And I think that govern- 
ment helping to arrive at standards is an important function that 
you can provide. And we would like to see more involvement in 
helping to coordinate the standards that are already being devel- 
oped through the market. 

Mr. Thornberry. Thank you. 

Mr. Adelson, is market enough? And if not, where does govern- 
ment fit? 

Mr. Adelson. I believe market drives much of the end-user re- 
quirement, end-user type of applications and tools. While govern- 
ment can certainly advise and inform the service providers to pro- 
vide those tools, market will only go so far as to, say, create my 
end-user environment, something from Microsoft, something from 
AOL. 

At the network infrastructure level, for example, if two networks 
have authentication when they speak with other, users never see 
that. They don’t know if it is on or off. And so, in order to get net- 
work infrastructure going, you have to have certifications and 
standards, create some kinds of best practices, check against them, 
and then be able to advise the user community that a network has 
met or not met those standards. 

Mr. Thornberry. Thank you. 

Mr. Ianna. 

Mr. Ianna. Answer to the first question. I think that the market 
will take it a long way but not all the way. And I think the govern- 
ment can help here. 

And I would liken this back to when the FCC and the Telecom 
industry created the network reliability council. I there were some 
failures in the industry, local carriers, long distance carriers. And 
I think they were dragged in front of a hearing, and were asked 
two basic questions. 

Number one, how reliable is the public switched telecommuni- 
cations network? And there was not a lot of good information to 
give that answer. And if you couldn’t answer the first question, you 
certainly couldn’t answer the second one, is it getting better or is 
it getting worse? 

Forming the network reliability council brought all of the partici- 
pants in the industry together, NRIC as it is now called. 

And we now have some 44 quarters worth of data broken down 
amongst the components, the physical components, of wire line net- 
works as to what causes failures. And we know how reliable it is 
and is it getting better or worse and what is causing a particular 
problem. 
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So I would suggest that the way that we approach this — is, to 
have a voluntary public forum that we could share information, 
best practices and the like and that we set a standard to answer 
the question: How cyber secure are we? And there is going to be 
a metric around that. And is it getting better? Is it getting worse? 
Because it will continuously change. As we interconnect one net- 
work to another network, if somebody introduces a new application, 
the holes or the opportunities for hackers to get in and do some- 
thing will change continuously. 

By the way, I think you could also answer the question amongst 
different industry segments, the financial industry, the water in- 
dustry, the power industry. And each one of those can focus on 
their own mission-critical services and how cyber-secure they are 
and how they need to be. And we could share information amongst 
those ISACs too. 

Mr. Thornberry. That changing nature is part of the challenge 
for government because we don’t change very fast, particularly 
when we are talking about laws and regulations. So I think that 
is a good point that several of you made. 

Ms. Gau? 

Ms. Gau. I have been with AOL since the mid-1990s and never 
has there been a time where I haven’t had to argue until I was 
blue in the face about the need and the good business sense to in- 
clude security in our products. Our consumers are demanding it 
now. Extensive research that we have done shows that it is first 
and foremost on their minds when they are surfing the Internet, 
especially if they have family involved. 

And they may not be thinking about the nation’s critical infra- 
structure in that context, but they are thinking about how to be 
safe themselves and how to protect their point of vulnerability. And 
obviously, they have the buying power. 

Well, consumers are not the only buyers out there. As some of 
my colleagues have mentioned, government can play a role here in 
really driving the market for more secure products. One — a similar 
situation might be with Section 508 of the Americans with Disabil- 
ities Act which requires that companies include accessibility in 
their products if they are going to sell to the government. Similar 
types of approaches could be taken in the area of security. 

With respect to what more could the government do, I would go 
back to the mission of the National Cybersecurity Division and to 
homeland security in general in this area with respect to informa- 
tion-sharing, providing those of us in the industry, those of us that 
are working to keep the critical infrastructure up in place with in- 
formation that we might not be able to easily obtain elsewhere; to 
provide for research and development in areas that we are not able 
to. And to also work to educate all users, consumers, businesses 
and other government agencies alike about the need for cyber-secu- 
rity. 

Mr. Thornberry. Thank you. 

Ms. Lofgren? 

Ms. Lofgren. Thank you, Mr. Chairman. This is a very helpful 
panel. 

And actually, if I am listening to you, I am hearing broad agree- 
ment on many themes: that we do need standards. We need ac- 
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countability towards those standards. We need a role for govern- 
ment in coordination and maybe assisting in the development of 
those standards, additional research. 

I am glad, Mr. Ianni, that you mentioned the physical infrastruc- 
ture issue because that is also — I don’t want to belabor that. But 
that is something that we — you know, we are thinking hackers, but 
actually the tradition of terrorists has been guys with bombs. So 
we should not overlook that element. 

I have a question because Mr. Diffie mentioned that we do now 
will have a downstream effect. And I think about that all the time, 
that if we make a misstep now that it will have an impact, you 
know in 10 or 50 — my children will live with the mistakes that I 
make. And so I especially want to avoid them. 

And while we are focusing on security, which we must do, I am 
eager to hear from you, what is the worst thing we could do as the 
federal government that would either impair our security, but also 
impair our liberty in the future? I am concerned about what we 
might do now that would impact the architecture of the Internet 
to the detriment of our free society. And I am wondering if you 
have thought about those issues and what your thoughts might be. 
Each of you, starting with Mr. Reitinger 

Mr. Reitinger. Thank you, Congresswoman. Although it is a lit- 
tle unfair for me to go first on each of these. I will be very brief 
so I don’t cut folks off. 

I would say I think the worst thing that you could do is some- 
thing that would impair security and privacy innovation. Doing 
something in such a way that the ability of industry to respond to 
the increasing market demand for security and the increasing need 
for homeland and national security, that ability would be impaired 
in some way. 

Mr. Diffie. I guess my greatest concern is that these tech- 
nologies will get bottled up and become the properties of — to give 
the jargon, certain elites, in the way that say, drug development 
is now regulated. I think it is very important that people continue 
to own their own computers, genuinely to own their own com- 
puters, to have the root authority and the actual power to control 
what their computers do. So that we get security sort of by an ag- 
gregation from the ground up of all of the individual citizens, rath- 
er than something imposed by some government-industry security 
mechanism that restricts either security practices, security uses, or 
in general, the use of computers by the citizenry. 

Dr. Lowery. I think anything that you do which does not allow 
for the fact that security is a moving target is going to be ill con- 
ceived. It is a changing landscape from day to day. 

So anything that is done above and beyond what customers are 
asking us to do, I think has to be very carefully considered, because 
ultimately, as time moves forward and we are looking back on 
what we are deliberating today 15 years from now, we very well 
may say, How could we have foreseen this happening? 

So we have to be very open minded about what could happen in 
the future, and not kid ourselves that we have all the answers 
today. 

Mr. Adelson. I think anything that government does that would 
slow down first response, and from, you know, that if, your good 
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intentions aside, monitoring or controlling the “Internet,” with 
quotes around it, you know, is something that is far beyond the 
scope, and if you tried to implement such a thing, I fear that the 
Internet itself would actually be at increased risk toward our, you 
know, how fast you get back up after a national crisis. 

Mr. Ianna. I think the worst thing that the government could do 
is not listen to the industry participants as to what they are capa- 
ble of doing, and what can be done in a timely and cost-efficient 
manner. 

I go back to some of the NRC days, where we were trying to de- 
fine a failure. And if you ask a consumer group, they may come up 
with something that says, Well, this is a failure, and every time 
you have this failure you need to file a report. 

We would have cut down acres of trees and buried Washington 
in paper and not improved the state of reliability had we adopted 
some of those that the industry said, This can constitute a failure, 
and this is what we want to improve. We work together in a true 
partnership. 

I really believe that all of the industry participants in that case, 
in telecom, although we were fierce competitors, came together in 
the best interests of the country. 

So listening to the participants about what is doable and what 
can be done quickly and cost-effectively, I think, is very important. 
Not listening to them, I think, would be a very big mistake. 

Ms. Gau. Well, I have to echo all my colleagues’ comments, par- 
ticularly in the area of developing standards that might be obsolete 
by the time they would be published, because security is a moving 
target, and it is an ongoing process. 

Additionally, I think, one of the worst things government could 
do would be to not engage and further strengthen relations with 
the private sector. 

There have been ongoing dialogues, AOL have very close working 
relationships with government and also with law enforcement at 
the state and local levels, and we are engaged in a continual dia- 
logue. 

But anything that would hamper our ability to respond, whether 
it is some type of system where we have to go through a central 
control without being able to first focus on what we need to do as 
a company to get our business back up and to be able to provide 
the service to our customers would be a mistake. 

Mr. Thornberry. The gentleman from Texas, Mr. Smith. 

Mr. Smith. Thank you, Mr. Chairman. Mr. Reitinger, let me ad- 
dress my first question to you and ask you to call upon your experi- 
ence with the Department of Justice, where you served prior to 
joining Microsoft. 

There, according to your bio, you were a prosecutor of computer 
crimes. One of the frustrations we have on this committee, and I 
have to say we have in on the Judiciary Committee, as well, is not 
being able to quantify the number of computer crimes, not knowing 
how many are committed, not knowing what the trends are, and 
therefore, not being able to necessarily address the problems as 
much as we should. 

As you know, when computer crimes are prosecuted, they are 
kept track of by statute not by type. What can we do to get a better 



41 


handle on the types of computer crimes that are committed, how 
many are committed and what the trends are? 

Mr. Reitinger. Thank you very much, Congressman. 

I think your frustration is widely felt. One of the concerns — and 
you will see in the opening of my written statement, as I think in 
prior testimony the committee has seen, there is a general sense 
that we don’t really know what the scope of computer crime and 
computer damages are. We actually don’t have a statistically rig- 
orous measurement of the amount of harm from computer crime 
and computer attacks. 

There are government agencies that do that sort of thing, the 
Census, the Bureau of Justice Statistics. I would think that having 
a statistically rigorous analysis of the amount of harm that our 
economy faces as a result of computer crime would be a very valu- 
able thing and help close what I think of as the knowledge gap that 
we face in addressing questions in that area. 

Mr. Smith. I agree and I think that is exactly what we need to 
do. And I will try to engage in some discussions with the various 
agencies to try to collect that information for the reasons that you 
stated. Thank you. 

Dr. Lowery, in regard to your testimony, you mentioned some of 
the initiatives that Dell has taken as far as systems security goes. 
Would you go into a little bit more detail of specifically about what 
Dell has done that you find effective. 

Dr. Lowery. Yes, I would be glad to. 

Dell has responded to customer input, specifically from our fed- 
eral customers, to deliver from our factory directly to them Micro- 
soft Windows 2000 installed on Dell computers, specifically the 
Optiplex, Latitude and Precision Workstations, that are already set 
with the configuration settings from the Center for Internet Secu- 
rity, which I mentioned before. 

The reason that we have done this is purely because customers 
have requested it. Also, we see it as something that can be made 
available to all of our customers. It is not something that is re- 
stricted to our federal customers. We think that everyone can ben- 
efit from it. 

So this is an example of industry best practices as they exist cur- 
rently, today, that we can bring to market with very minimal lag 
time because of our direct model. We build — most every system 
that we ship is custom built to that particular customer’s order. 
And so as soon as we have new information that impacts product 
safety or security and we are able to get that into the product and 
into the factory, it is in our customer hands typically in five to 10 
days after that as we start shipping it. 

So that is why we have taken that role. We can deliver that tech- 
nology fairly quickly to our customers that have requested it. 

Mr. Smith. Thank you, Dr. Lowery. 

Mr. Reitinger, let me go back to you and Ms. Gau. Both of you 
have had extensive experience dealing with the federal govern- 
ment. We have heard in response to some earlier questions that we 
need to establish a better relationship with the federal government. 
We need to do more listening, and so forth. Specifically, though, 
how do you think the federal government can better, or more en- 
hance cybersecurity? 
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Ms. Gau, let me begin with you. 

Ms. Gau. At the risk of sounding repetitive, I am going to go 
back to the information-sharing, the research and development, co- 
ordination with private sector and education components that actu- 
ally form the mission of the National Cybersecurity Division. 

One of the areas that we are looking at right now in terms of 
the industry is information-sharing with each other and how we 
can continue to improve on those processes that already exist, such 
as 24-7 contacts that exist amongst the players in the industry. 
And taking that a step further, really having that kind of coopera- 
tive relationship with government at the DHS level in the National 
Cybersecurity Division is something that I would very much look 
forward to. 

At this point, we are still developing our relationship with DHS 
and I look forward to seeing the Cybersecurity Division get going, 
so to speak, and engage us more actively. 

Mr. Smith. Okay. Thank you. 

Mr. Reitinger? 

Mr. Reitinger. Thank you very much, Congressman. 

I will also — I think the main points we have hit on and Ms. Gau 
also retracked there — let me touch on one point on information- 
sharing. There is an anecdote I have heard about something that 
occurred long ago, before the IT ISAC in particular was formed, 
where my boss’ predecessor, Howard Schmidt, got a call in the mid- 
dle of the night from the network operation people who said we are 
seeing a spike in network activity. He came in and he saw that 
there in fact was an issue and started calling his colleagues, includ- 
ing a colleague from Sun. 

They were able to sort of quickly see that this spike was occur- 
ring across the networks and take some action. In particular, How- 
ard was able to reach out and talk to people at the Department of 
Defense, and as a result, a lot of DOD computers got protected as 
a result of that. 

This goes to show that we already have a lot of ad hoc and very 
valuable information-sharing that is taking place. What we need to 
do now is put that on rails, make it a part of business processes 
for both government and industry so it becomes a part of how we 
do business. And the government, I think, can help a lot in that 
regard, in particular in some of the ways Mr. Ianna was referring 
to. 

Mr. Smith. Thank you, Mr. Reitinger. 

Thank you, Mr. Chairman. 

Mr. Thornberry. Thank you. 

The Chair’s intention is to call on members in the order of ap- 
pearance at the hearing. And I will now call on the gentleman from 
North Carolina. 

Mr. Etheridge. Thank you, Mr. Chairman. Let me thank you 
and the ranking member for holding this hearing, and more specifi- 
cally, for our witnesses being here today, because I sit here and 
think of so many questions, so much information and so little time 
on such a critically important question. 

Mr. Reitinger, let me ask you the first one, because I am going 
to go from your written testimony, if I may, and then I will come 
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back and ask the others. The next time I will go in reverse order 
from the other end. But yours first. 

You stated that cybersecurity remains an interagency problem, 
as you said earlier, and that a key role for DHS and the National 
Cybersecurity Division is building industries for effective govern- 
ment action in helping other agencies develop procedures that sup- 
port homeland security. 

What has the department done thus far to fulfill this role? And 
have its efforts produced results that industry is feeling? 

Mr. Reitinger. Thank you, Congressman. 

I might be the wrong person to ask that question to. The people 
who could best answer it would be in the department. 

I am very encouraged by a lot of the activity that the department 
is undertaking. I think they are very new. They were only officially 
stood up less than six months ago. But listening to the things that 
they are saying, particularly Assistant Secretary Liscouski, on the 
issue of cyber-security, I am looking forward with hopeful expecta- 
tion to the things that they are going to accomplish. 

In particular, one of the things that I think they are doing is fo- 
cusing on deliverables, getting things done in both the short term 
and the medium term as they look towards the long term. 

I think there is a tremendous problem there. There are a lot of 
government stovepipes that need to be tackled. And I think the en- 
tire department needs a lot of help from across the bureaucracy 
and from this committee. But I feel very hopeful about it. 

Mr. Etheridge. Thank you. Want you to understand, I asked 
you that question because you have been inside and now moved 
outside, and I think it is critically important to hear your views on 
it. 

Let me start on the other end and ask this question of each one 
of you very quickly, because each one of you touched on about the 
security issues that you are employing that you have ramped up. 

And my question is, what event or events prompted the addi- 
tional focus on security from your strategic standpoint as an indus- 
try? Because different ones have talked about the customer de- 
mands — that does it. Was it customer demand or was it an attempt 
to differentiate between products or some other events? Because 
you have shared with us the need for industry to be given a goal, 
but at the same time industry’s going to take certain actions. 

It would be of interest to me and I think to others on this com- 
mittee to know some of the things that have driven that. 

Ms. Gau. As a consumer-facing business, the AOL perspective is 
going to be geared, obviously, towards what we see with our con- 
sumers. 

Whereas there have been the early technology adopters, as well 
as other people out there in the marketplace that have always been 
concerned about security, I would say that it was probably right 
around the time of the Melissa virus in the year 2000 when the 
mass market of consumers all of a sudden realized that, My gosh, 
a virus, and the whole story of how it propagated and how the guy 
then got caught and the cooperation that was entailed in catching 
the guy — it really all of a sudden woke people up. 

And it was about the same time that also there were the attacks 
against eBay and a number of other major providers that were 
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taken down for a brief period of time, as well as some privacy 
breaches, some high profile privacy breaches that took place that 
year. 

So I would say it was really in 2000 that we started seeing our 
consumers identifying safety and security as a top priority for them 
in the security research or general research that we do on a routine 
basis to understand our customers. 

Mr. Ianna. Actually, it starts from customer demand, but that 
only starts from the base of what you know and what you are try- 
ing to protect against. For example, in a data network you are say- 
ing, I am trying to make it as reliable as I possibly can. People 
know about cable cuts, they know about software failures — trying 
to make sure that this network is four nines of reliability. All of 
a sudden some other new thing comes up, somebody does a distrib- 
uted denial-of-service attack, and you are hosting that Web site in 
your network. You now have to be aware of the fact that this goes 
on and how do you mitigate it. 

So it is not only customer demand but it is an event that occurs 
that is a new form of failure that you very quickly have to adapt 
to. 

And unfortunately, as networks get more and more sophisti- 
cated — for example, let us say for example in data networks now, 
Wi-fi becomes a very popular form of access. I guarantee you we 
will see different types of failures and different types of potential 
intrusions in gathering information in that network than we have 
seen in other networks, maybe because of the unsecure nature of 
transmitting some of that information. 

So it is the baseline of what you know always augmented by 
something new happening and customers saying, “I don’t want that 
to happen to my application. What are you, AT&T, what are you, 
service provider, ISP, doing to prevent that from happening again?” 
And that is what drives our continuous development. 

Mr. Adelson. I will speak to the physical components, since that 
is our area of speciality. 

There was no specific event which changed the focus on physical 
security for us. I know back in 1996, I worked at Digital Equip- 
ment, in their research, and what we found was that the partici- 
pants — and infrastructure radically changed from 1996 to 1997, 
and started to include companies like Alta Vista and Yahoo and 
Google, as well as the network service providers. Their require- 
ments for physical security had commerce behind it, and it changed 
all of the focus. 

And so, for example, exchange points moved from a central office 
to a robust physical infrastructure. That is really the closest thing 
to an event — it is really a market shift that focused our change. 

Dr. Lowery. Congressman, I would say that I perceive no spe- 
cific event, but instead a succession of events that are also progres- 
sive, kind of ramp-up. 

And also, as Mr. Diffie mentioned earlier, we are making a tran- 
sition to more virtual world. And so it is becoming more important, 
and becoming something that we rely on increasingly. And this has 
been happening over the past three or 4 years. The time lines you 
have already heard. 
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So that does drive customer demand. As customers become more 
aware of how much they have invested in these technologies, and 
how much those technologies impact them personally, they start 
making more specific requests. 

And as I said, we are always open to our customer input. That 
is what we are looking for. We look to them to help us make a de- 
termination as to where we go next as far as what we should be 
doing with our products. 

Mr. Diffie. Well, he stole my line. I thought I was going to be 
first to say that I couldn’t remember any explicit event. 

As I go back over the half dozen things I can list, which seems 
to be significant Sun contributions to security — client server com- 
puting Java, hardware domaining, trusted Solaris — my sense is 
that they are the responses to our perception of our customers’ 
needs in security, as opposed to their desires in security. 

So, for example, with the rise of the World Wide Web, the devel- 
opment of a computer language intended to have security with mo- 
bility — in this case, mobility of code — was intended to enable the 
sort of business development that we saw. 

And I think that is the kind of reflection that is always going to 
be required in this area, that you are never able to determine secu- 
rity requirements merely by market survey. 

Mr. Etheridge. Thank you, Congressman. 

Rather than listing a specific event, I will briefly mention three 
factors that I think play outside of customer demand, one of which 
relates to what Mr. Diffie was just talking about. 

First, I think there is a business imperative to build trust. Secu- 
rity is in a sense less a size of the slice of the pie issue as it is 
a size of the pie issue. 

For all of us to do better and be more successful, we need peo- 
ple — and for society to be more successful — we need people to uti- 
lize information technology broadly. That is not going to happen 
unless people trust information technology. And so we need to ac- 
complish that. 

Second, September 11. September 11 taught is we need to worry 
not just about the foreseeable, but also the unforeseeable. 

And third, and this is a point related to what was just talking 
about: social responsibility. With market share comes responsi- 
bility. And we as large and important corporations have a responsi- 
bility to look towards protecting the security and privacy of our 
customers. 

Mr. Thornberry. Thank you very much. 

Thank you. Chairman Cox. 

Mr. Cox. Thank you, Mr. Chairman. 

I want to thank this panel for being exceptionally educational 
and for your willingness to devote some careful thought into pro- 
viding your fair testimony even before you got here and, of course, 
for your years of experience that enabled you to do that. 

And I want to thank the chairman and the ranking member for 
organizing this particular focus on cybersecurity. As members of 
the panel know, in organizing this Committee on Homeland Secu- 
rity, and indeed, in organizing the Department of Homeland Secu- 
rity last year, the Congress had it in mind to pay particular atten- 
tion to our information infrastructure. And this subcommittee is 
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the only subcommittee in either the House or the Senate devoted 
to cybersecurity. 

I make the point because so much of our focus on what we now 
call homeland security, on fighting terror, is really coming to grips 
with technology, whereas in the 20th century, only nation states 
could pose WMD threats to us; in the late 20th century, we found 
that such dirt-poor nations as North Korea could pose similar 
threats. And now we are finding that terrorist bans, and ultimately 
I am sure we will come to the conclusion in the 21st century, that 
individuals will find their own capacity to harm civilization levered 
by psychology in the same way that this technology is improving 
our productivity in all other peaceful aspects of our existence. 

And so I want to make sure that as we organize the Department 
of Homeland Security, we are focused not just on, for example, the 
Internet the way we know it today but on where this technology 
is headed, because 10 years ago if we would had this hearing and 
asked these questions with all that time to prepare, we still 
couldn’t have prepared ourselves because so much of what we have 
today was unknowable at the time. And we want to make sure that 
in the future we are nimble. 

So in matching the strengths and weaknesses of the federal gov- 
ernment, which we have all agreed today need to be a partner in 
this venture with those of the private sector, I find that one of the 
federal government’s characteristics is extremely troubling. And 
that is that it tends to be ponderous and sluggish in its movements 
in developing regulations or in implementing its policies. Whereas 
what typifies not only the private sector but, in specific, the tech- 
nology industry is lightning quick ability to change. And this 
change is going on all around us, not just our nation, but around 
the world. 

And so, my question is as we have gone from, for example, code 
red 2 years ago to slammer this year and we have got our reaction 
time to a matter of minutes, and we may be looking at even sec- 
onds, when what you are asking the federal government to do is 
help post best practices, how do we deal with the fact that it might 
take too long for the federal government to be the clearinghouse for 
this information? 

And anyone who wants to jump at that is welcome to do so be- 
cause you are all expert in this. 

Mr. Diffie. Well, I will take a brief crack at it and say I think 
that the federal government should not be apologetic for being pon- 
derous and slow. It is running the largest enterprise in the world. 
And I don’t think if we look at the record that we would see, in 
cases where it is active in haste, it has necessarily acted very wise- 
ly- 

I think the important thing in here is that there are long-term 
principles. Federal legislation must recognize the principles, speak 
to the principles, speak to provision of resources, and certainly 
weave the rapid reaction much further down the chain from Con- 
gress, perhaps to parts of federal agencies and to industry and indi- 
viduals. 

Mr. Cox. Well, that certainly reflects my views, particularly 
when it comes to writing legislation. I want to be sure as a norm 
here in Congress that we try not to write technology into the law, 
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because ultimately the lawyers will then make sure that in order 
to comply with the law, you maintain the technology that is written 
in the statute. 

And that will be a very, very bad world indeed. And so, I think 
your recommendation is getting us on the right track. I would be 
happy to hear further. 

Mr. Ianna. Yes, I think the answer to that question or a answer 
to that question is there are many solutions to a problem of shar- 
ing information. For example, the Telecom ISAC, we have to be 
very comfortable with that one. It has been a good government/in- 
dustry partnership. 

I think the thing that we could be ponderous on is that there are 
many good solutions, and deciding which is the right one, we spend 
too much time on. I think they are all about 80 percent right. 

And I think we need to spend more time on taking a good exam- 
ple of what works and then applying that to other industries not 
and worry about not making the right solution, but making the so- 
lution right, and leave the quick, rapid response to an ISAC or to 
an information sharing way lower down in the chain, but get the 
people and the participants participating in that very quickly and 
define what you want to protect and how you want to define your 
measure of success very quickly. 

And just say, for example, if you are protecting water, what is 
our critical systems that we want to have? What is the level of 
cybersecurity we need around those? Let the industry participate 
in that. And then, further down the chain, let them go implement 
those solutions. 

And then you will have to continuously look at it, because 
threats will change, lots of things will change, networks will 
change, but you will have a history, then, of are we getting better 
or are we getting worse? And that is the key. 

Mr. Thornberry. Mr. Reitinger? 

Mr. Reitinger. Just briefly, chairman, thank you. 

I think that this is a — cybersecurity is a network problem much 
like the Internet, and requires a network response. The govern- 
ment has some very important nodes on that network, with some 
strengths and weaknesses, and probably needs to concentrate on 
the things it does well and must do, as Whit was saying before. 

Within DHS, I think it needs to concentrate on three things: peo- 
ple, process and technology. And I think of those three, they are 
all important, just to expand a little on process. There are a lot of 
government business processes that are no longer well suited to 
protecting homeland security in a new environment. And DHS 
needs to lead that transition and incentivize — I know it is a private 
sector word — but incentivize that transition within government for 
processes that effectively protect homeland and national security. 

Mr. Cox. I thank you, Mr. Chairman. My time has expired. 

Mr. Thornberry. I thank the Chairman. 

Ms. Christensen? 

Mrs. Christensen. Thank you, Mr. Chairman. I want to wel- 
come the panelists. We have had some briefings on cybersecurity 
that left us a lot less hopeful than informed than the information 
you have provided for us today. 
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I want to begin by asking Mr. Adelson a question. Putting what 
you do in the perspective of first responders is very helpful. And 
communications, steps in information management, is an issue for 
all of the first responders, the fire, police, everyone. Is this a part 
of the ongoing dialogue that the private sector is having with the 
federal government? And do you have any recommendations as to 
what this committee can do to better make that more efficient so 
that you can respond in a timely manner? 

Mr. Adelson. Sure, I believe that there is a lot of learning going 
on right now, and I should stress that we are in the initial stages 
of determining where the threshold should be in information shar- 
ing. Information sharing being the critical component, as you have 
said, as an exchange point operators seen the communication prob- 
lems that go on between network and service providers and ven- 
dors in government today, we know that it is a monumental task 
and should be approached very carefully. 

Classic example of this is the Freedom of Information Act provi- 
sions that really must be preserved to protect network service pro- 
viders so that they can freely share that information with govern- 
ment without concerns. 

And I feel that that is one example of a number of areas where 
really we have to understand the full scope of what is at stake for 
network service provider before engaging in any kind of formal 
process. 

But I am encouraged by the process that is happened so far on 
the standards and suggestions that I have seen. 

Mrs. Christensen. You raise the trusted environment again. 
And that is really critical between the private — between private in- 
dustry and between private industry and government. Are there 
recommendations from any of the panelists as what this committee 
can do to foster that trusted environment so that the communica- 
tions can flow as it needs to flow? 

Mr. Ianna. The trusted environment can exist in a government- 
private partnership. We have seen it work in the telecommuni- 
cations environment. We are concerned about sending lots of infor- 
mation to not only one place, but multiple places to then have it 
become public, which may not be in our best interests. 

The other thing, I think, that is really important is to get to the 
level of protection that I think we all want. A macroanalysis of 
vulnerabilities will not get you there, in my opinion. You have to 
get to the microanalysis of each and every industry and network. 

An example that I give is I could create a network for a large 
bank out of AT&T services, SBC services, Microsoft services, 
Equinix services, et cetera. And that could be very, very physically 
secure and very logically secure. I could take the same bank and 
the same four vendors and create a network that is not physically 
secure and not logically secure, just by putting the parts together 
differently or having absence of pieces. 

So a macroanalysis does not get you there. It is a microanalysis, 
and it has to be done at the industry and at the entity level. A lot 
of the components to create very secure, cyber secure, and very 
physically secure networks are there already. And a macroanalysis 
of this may not get you there. It has to get down to the, I believe, 
the individual network level. 
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Mrs. Christensen. Well, maybe I can — I don’t see anyone else 
jumping to answer, so I will ask my last question. 

The government and the private sector have been collaborating 
and discussing security before the creation of the Department of 
Homeland Security. Has there been good continuity in that collabo- 
ration? Has it improved? Has the creation of the department, 
bringing all of the different parts under one umbrella, has it be- 
come more cumbersome? Has this dialogue between the private sec- 
tor and the government improved since the Department of Home- 
land Security over these issues? Or is it more complicated because 
of all of the different pieces coming under this one umbrella? 

Mr. Adelson. Well, I will say that my experiences before the De- 
partment of Homeland Security, while encouraging that there were 
efforts underway, we are, you know, minimally exposed to. Part of 
it is because, you know, we were focused on our customers and we 
didn’t have the resources to have someone here in this environment 
at all times to interact with government. 

One of the components of DHS which was encouraging for us was 
they were reaching out. And for the first time we were hearing 
from government with a request to learn. Like this hearing today 
is a great example of that. So I think we are headed in the right 
direction. 

Mr. Ianna. I would just like to say that as part of this, many 
state governments have done something similar. And certainly, 
from a response request and the amount of effort that you have to 
put into it, and the vulnerability of information and create a few 
lists in 51 places, as opposed to one place, also. I would like to see 
more coordination and templating amongst the states to the federal 
level also. I think that would be very helpful. 

Mrs. Christensen. Thank you. 

Thank you, Mr. Chairman. 

Mr. Thornberry. Thank you. 

Vice chairman of the subcommittee, Mr. Sessions? 

Mr. Sessions. Thank you, Mr. Chairman. 

I am sorry to have skipped back and forth, but I heard the testi- 
mony from Mr. Diffie, and I heard you talk about standards by the 
government. I heard, certainly, Mr. Ianna talk about government 
standards that would be good for us to development. And part of 
the dialogue and discussions then that Dr. Lowery was the CIS. 

The question I have got for anyone on the panel is is there any 
consensus on a best practice? 

Mr. Ianna, I just heard you say you could develop a secure net- 
work that would be great. And depending on how you put the 
pieces of the puzzle together, it may or may not be secure using 
even the same vendors. 

Is there a best practices model out there that should be looked 
at, sanctioned, if not by some government entity, by I think they 
are called CIS? Is there something out there today that says this 
is the most secure way that we know of today to develop the archi- 
tecture? Or would everything just be so robust you would have to 
literally pay somebody thousands of dollars to come and piece, part 
it for you? How difficult is that? And does the government follow 
a model, from what you can tell, as related to whatever this busi- 
ness model may be? Anybody? 
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Mr. Ianna. I will try a shot. There are best practices that indus- 
try participants have shared. The NRIC previously the NRC is a 
good example of that. As we came across failures and we analyzed 
failures, we figured out what do people do? And what do people do 
well and what do people do not so well, or companies within that? 
And we created best practices and we shared them. And we are 
doing that right now in NRIC 6 at the physical level and at the 
cyber level. 

But to paint the entire problem, I believe, with one set of best 
practices, I would just urge that we don’t fall into the trap. For ex- 
ample, a best practice for a financial application at a very high 
level transmitting, you know, hundreds of millions or billions of 
dollars in transactions may be one set of best practices. 

And somebody surfing the Web for information may be a totally 
different set of best practices with different levels of security, fire 
walls, et cetera. 

So I believe that best practices do exist in industries. I think we 
have some proof of it in the telcom industry. I can’t speak for oth- 
ers. I think there are — power industry, for example, et cetera. But 
I don’t know if there is one best practice that fits all sizes of all 
types of networks and applications that the government should 
sanction. I don’t know if we should go that far. 

Mr. Sessions. Then, what would you say? Dr. Lowery, you might 
want to speak to this, but what would you then say, and your ob- 
servations about the United States government, following these 
known best practices, how well do you think they do? 

Mr. Ianna. Well, that is a good point. 

The government is a very big customer. And it can drive some 
very big changes in the industry or practices in the industry just 
from its own purchasing power. So if the government decided, for 
certain networks, that it wanted these levels of cybersecurity, 
firewalling, anti-virus software, automatic updates, et cetera, it 
could drive that particular standard for that level of security be- 
cause you have the purchase power of a large customer. 

Mr. Sessions. And how well do you think the government does? 

Mr. Ianna. I really can’t paint that with one brush. I don’t have 
an answer. 

Mr. Sessions. Good. There are examples of very, very good? Or 
do you enough about this to speak on this? 

Mr. Ianna. I probably don’t know enough about it. 

Mr. Sessions. Okay. Thank you. 

Ms. Gau. If I may, I just wanted to pick up on one element that 
Mr. Ianna mentioned. And that was the auto updating. 

When you look at some of the organizations in the industry today 
that put out security standards, there are a number of them other 
than CIS. And they try to market it as a service. There are even 
security seal programs just like there are privacy seal programs 
where the industry is trying to take a self-regulatory approach to 
establishing a baseline level of security for certain applications. 

The problem is that as we have already said, security is an ongo- 
ing process and a moving target. And as part of any of these stand- 
ards, as part of any potential piece of legislation, it needs to be 
auto updating. And there lies the dilemma. 
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Mr. Sessions. I would love to see it stay away from legislation, 
but to be able to say there is some standards body that we believe 
enunciates the best practices and becomes a model. And somebody 
talked about this. I think that that could be a way to highlight 
someone. And I think that is the best way that we ought to pat 
somebody on the back but not with rules and regulations. 

Dr. Lowery, did you have a comment or someone else? 

Dr. Lowery. Just wanted to expand on the Center for Internet 
Security and also what has already been said, just to expand on 
that somewhat, that security is not one-size-fits-all. There are best 
practices, though, which are broadly applicable. And the Center for 
Internet Security benchmark level one is intended to be that kind 
of best practice. 

They also have level two benchmarks, which are much more rig- 
orous. And then you could also turn to individual companies and 
the products that they provide, and they can give you also their 
recommendations on how to best secure their products. So you look 
at the situation in which the technology is going to be deployed. 
You adopt best practices, which everyone has already agreed these 
are good ideas, and then you specifically tailor the security for your 
environment. 

Mr. Diffie. So let me speak to two aspects of what you have 
said. One is that the question you are asking about how well the 
government has done is really one in my mind that if in need of 
objective measurement, that is to say, I think, that it would be- 
hoove the government to just go through, make provision for as- 
sessing the security in operations of the computer systems its 
using. 

And then, asking about each individual sort of product and in- 
stallation configuration, should we have been doing this. Should we 
continue to buy more things of this kind from the spender, what- 
ever? A reactive — an energetic, a due diligence customer approach. 

The other point is it is the most critical thing in security in many 
ways, is a realistic vision of the threats. And we have before in 
Washington seen the impact of unrealistic visions in both direc- 
tions, one of which is not to worry about it, and the other of which, 
particularly during the Cold War, is to let us security enthusiasts, 
and I have — though were many in the federal government, get in 
a position to try to push, in this case, civilian agencies to meet var- 
ious kinds of military standards that merely cost a lot of money. 

And because there was a general — not an inevitable, but a gen- 
eral antagonism between security and flexibility, you must be very 
careful about how you impose practices and security standards on 
agencies so as not to interfere with their getting of their work done, 
which is the primary thing. 

Mr. Reitinger. Briefly, Congressman, to re-emphasize what Dr. 
Lowery said, there is no one-size-fits-all solution. Anyone taking a 
particular configuration of the system, for example, needs to take 
a look and see whether that meets their particular environment. 

But one additional point, one thing that can be done, and some- 
thing that Congress did last year was pass a management frame- 
work for information security in the federal government as a part 
of FISMA. So that is not a one-size-fits-all, that is actually a man- 
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agement framework that addresses security in federal government 
systems. 

Mr. Adelson. You asked a specific question about whether best 
practice could secure, and I just wanted to point out best practices 
are important, but there are still a lot of research that needs to be 
done at the industry level to fully secure vulnerabilities that we 
have exposed over the course of the next few years in the infra- 
structure, and we can’t just leave that. Federal government could 
help with funding of research, for example, to help us get us there. 

Mr. Sessions. I thank the panel. 

Thank you, Chairman. 

Mr. Thornberry. I thank the gentleman. And I might mention 
next week this subcommittee is having a hearing trying to focus on 
the research and development ahead and what those needs are and 
how those resources ought to be directed. And so, I think the gen- 
tleman makes a good point. 

The gentlelady from California, Ms. Sanchez? 

Ms. Sanchez. Thank you, Mr. Chairman. I have some specific 
questions for — and so, I will call out the names when I come to the 
question for you all. 

I just want to say thanks for having me, Mr. Chairman, and I 
know I have learned quite a bit. 

I am a member from California, and I represent Orange County, 
which has a pretty good information and high-tech community. So 
I have been working with some of my colleagues, like Anna Eshoo 
and Zoe Lofgren and others on some of these issues like encryption 
and everything over the years. But I mean, this is just such a large 
area for us to try to focus on. I really appreciate all of you being 
here today for it. 

Mr. Reitinger, even if an underlying operating system is consid- 
ered secure, can programs running on that platform still cause 
problems like spreading viruses or attacking other systems? And if 
that is the case, would we need to security check every piece of 
software that we run? 

And if we do that, do you foresee proprietary problems if its nec- 
essary to check source codes of all programs, for example, for secu- 
rity holes, embedded viruses and other issues? 

Mr. Reitinger. Certainly, applications as well as operating sys- 
tems can have vulnerabilities and can pose difficulties. I think 
what is essential is to use software that is developed by companies 
that use a robust quality assurance or software assurance process 
where they, in the course of development do — use trained devel- 
opers, track their source code, do code reviews, do external third- 
party reviews, do penetration testing and seek external certifi- 
cation, such as the common criteria, for their products. 

And I think that provides a fair amount of assurance that the 
products are as secure as they can be under the circumstances. 

Ms. Sanchez. Thank you. 

Mr. Diffie, you say that the latest encryption standard is as se- 
cure as you need to be. And I was just discussing with Ms. Lofgren 
where we were with encryption, because we have been working on 
this for awhile. I know it is a regulatory process now, and we seem 
to have an ability to move encryption standard, if you will. Can you 
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explain what you meant by as secure as we need to be at this 
point? 

Mr. Diffie. I apologize — I don’t think that was probably exactly 
the term I used. I think I said a secure as one could want. And 
what I meant precisely is that when the data encryption standard 
was fielded 25 years ago, it had to give, getting into technicalities, 
a 56-bit key, about a billion billion possible keys. 

And that number was chosen, at the time, to be a compromise 
between the desires of the intelligence community and the per- 
ceived security needs of civilian government. 

The advanced encryption standard offers three different key 
lengths: 128, 192 and 256. And as far as my community, the open 
cryptographic community can tell, and as far as we understand 
from NSA, what they believe, we do not know how to break into 
AES encryption at any of those key lengths faster than just looking 
through the keys. That is infeasible at all three of those lengths. 

And so to take the words of the preface to an old Soviet 
encryption standard, this algorithm places no limitation on the se- 
curity of the data to be protected. 

So that is exactly what I meant, that the intent here and what 
we observe in the public community and what NSA tells us all ac- 
cord in saying that this is as secure as any cryptographic algorithm 
we know of. 

Ms. Sanchez. Thank you. I hadn’t quite heard it put that way 
so thank you for your information on that. 

Dr. Lowery, you talked about a partnership between the vendors 
and the customers. Vendors provide security-minded products, and 
customers make sure that they have proper security settings. I am 
concerned about the customer who might not know how to keep 
things secure or inadvertently creates problems within the system. 
Can you elaborate on the responsibilities that you think we would 
like to see customers take on with respect to security? 

And how do we, as a government, encourage that? Because, you 
know, we are as secure as our weakest link and it could be one of 
these users. 

Dr. Lowery. I think one of the most important things you can 
do is to educate end users, not about technical aspects of security, 
but simply about the role that they play as individuals, as gate- 
keepers, into a larger community of data sharing and information 
sharing. 

If we could get the end users to understand that as a participant 
in e-mail, for example, simply opening an attachment has ramifica- 
tions that not only affects them, but could affect others. Just an 
awareness of their ability to impact others through how they use 
these technologies could go a long way to improving security for ev- 
eryone who participates in these systems. 

Ms. Sanchez. Thank you. 

I see that my time is up. I have some other questions, but I will 
submit them for the record, Mr. Chairman. 

Thank you, gentlemen and — 

Mr. Thornberry. The Chair thanks the gentlelady. 

The gentlelady from Texas, Ms. Jackson Lee. 
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Ms. Jackson Lee. Thank you very much, Mr. Chairman. And 
thank you and the ranking member for holding this important 
hearing. 

To the panelists, thank you for your presentation and your indul- 
gence on members who have several hearings going on at once. 

Let me take personal privilege and express my appreciation that 
Dell is still in Texas, in Austin, Texas. We are gratified for that. 
And to thank AOL Time Warner for being one of the first groups 
to host members of Congress out into the Virginia location. I think 
that is prior to the merger, but we thank you very much. This is 
an important issue. 

The bell is ringing, I believe, so let me quickly comment. 

Mr. Thornberry. If the gentlelady would yield briefly? 

The Chair’s intention is to go until we have about 7 or 8 minutes 
left in this vote. My understanding is we have two votes. And then 
I would like to come back. Hopefully, we would be gone no more 
than 15 minutes, and then we could resume. And so that is my in- 
tention. 

Thank the gentlelady. 

Ms. Jackson Lee. In an article, and the date is a little fuzzy, so 
I will just refer to the article, talks about the administration abol- 
ishing the high-level Critical Infrastructure Protection Board and 
the fuzziness of the administration’s position on cybersecurity. And 
I would be interesting in your assessment on what the sense of the 
industry is with respect to where government is on cybersecurity 
particularly in the loss of Richard Clarke, who was a very visible 
government person on these issues and the fact that this board 
now has been recomprised in DHS with a lot lower profile and 
staffing, if you are familiar with that particular board. 

But that was the board that had the face of the administration, 
and that is the Critical Infrastructure Protection Board that gen- 
erated after the turn of the century and of course, after 9/11. 

My question is what can we do in government as relates to 
cybersecurity? And I ask these questions. Do we need more infor- 
mation sharing? Do we need more firewalling? And do we need a 
best practices? And in your opinion, what are the three things that 
the government may need to do immediately to improve 
cybersecurity? If you want to point it at the department or point 
it at this select committee because we are supposed to be the fixer- 
up-it in terms of trying to find solutions. 

I would appreciate your response to that, whoever wants to jump 
in. Or we could start — we will start in that direction, yes. 

Ms. Gau. Thank you. I appreciate you reference to the former 
Critical Infrastructure Protection Board and Richard Clarke, whom 
I worked with quite closely, with him and his staff on the national 
strategy that came out. One of the things I have noticed is that 
there has been little reference, other than my own, to the national 
strategy to secure cyberspace. And although there are critics of the 
document that say it is too watered down and that it does not real- 
ly lay out responsibilities, it simply makes recommendations. 

It nonetheless serves as a blueprint. And there are detailed ac- 
tions and recommendations outlined in that document that address 
all of the issues we have been discussing today. 
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One of my recommendations would be to indeed look at that doc- 
ument, engage more actively in pursuing the actions and rec- 
ommendations in the document, and to look towards perhaps ele- 
vating the level of attention that the national cybersecurity division 
has right now. 

My personal experience and AOL’s experience has been that 
when that board existed and Richard Clarke was in place, we had 
a much more active relationship with the White House on 
cybersecurity than we do now. 

And whether or not the placement of the national cybersecurity 
division within DHS is the appropriate location is not something 
that I believe I am qualified to speak to. But we would like to see 
a similar level of attention and priority given to the issue of 
cybersecurity. 

Ms. Jackson Lee. One of the points you mentioned was 
firewalling versus information sharing. And let me just say that se- 
curity is an almost unlimited excuse for keeping things secret. And 
very often in the short run that is the right thing to do. But I think 
it should be recognized that secrecy in regard to security matters 
should always be thought of as a vulnerability. Because no matter 
how hard you are trying to keep a secret, your opponents might 
discover it. And the ideal security systems are ones that operate in 
a very open environment, and do not depend on secrecy about 
themselves. 

So I want to say that although we in industry very often have 
a parochial interest in the government helping us keep secrets 
about how our products work, about what our vulnerabilities have 
been, that the long-run interest of government is probably in pro- 
moting and requiring greater openness. 

Ms. Jackson Lee. Can I get one person to answer the question, 
what the government needs to do right now in cybersecurity — just 
one person, and then? 

Mr. Adelson. I will say — 

Ms. Jackson Lee. I appreciate it. 

Mr. Adelson. — promote the Department of Homeland Security 
as the epicenter of information sharing for industry and federal, 
state and local government — number one. 

Number two, preserve the federal information act protections and 
the Critical Infrastructure Information Act. 

Number three, consider funding for outreach to promote the 
sharing, research and development of security and testing. 

I just want to say that that is an introduction. Right? But that 
is the immediate thing that could see support for, those three 
things would be critical right now. 

Ms. Jackson Lee. Anyone else? 

Mr. Ianna. Just to echo that, there are some examples of ISACs 
that I believe are working well. I could speak for mine in tele- 
communications industry ISAC as well as the Network Reliability 
Council sponsored by the FCC. We see effective partnerships be- 
tween the government and the private sector, particularly where 
the government is funding part of the infrastructure, which I be- 
lieve is important, which the other ISACs may not be experiencing. 
That might be a good model to move to those other ISACs. 
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Ms. Jackson Lee. You think it needs to be elevated in the De- 
partment of Homeland Security from where it is now? 

Mr. Ianna. I can’t say that. I just say that there is an effective — 
it seems to be, from my perspective in this industry, an effective 
model in Homeland Security right now, in telecom ISAC. 

If the other ISACs are struggling — and I don’t know if they are — 
with information sharing, maybe a funding, a government funding 
of some of those ISACs would be helpful. 

Ms. Jackson Lee. Does anyone believe it should be elevated 
from where it is in the Department of Homeland Security to a 
higher presence, this whole idea of cybersecurity? 

Mr. Diffie. I am willing to say yes, but I think that is something 
to give a considered answer would require a bit of study of what 
is actually being done, organization of the department. 

Ms. Jackson Lee. Did you have a response, sir? 

Mr. Reitinger. I would say that I think cybersecurity is a crit- 
ical issue. I think one reaches a point where reorganizations be- 
come harmful rather than helpful. 

What we are interested now is seeing action and working with 
the department to make it as productive and effective as possible. 

Ms. Jackson Lee. Thank you. 

Mr. Thornberry. The Chair thanks the gentlelady. 

As I mentioned, we have two votes, and my intention is to be 
back in about 15 minutes to continue this hearing. 

Again, I thank all of our witnesses for their patience. 

And we will resume shortly. 

The subcommittee stands in recess. 

[Recess.] 

Mr. Thornberry. The subcommittee will resume its setting. Ob- 
viously, other members are going to be coming back after the vote. 

And again, I thank the witnesses for their patience. 

Let me ask about a couple of areas as members are coming back. 
One of the things that I am struck by in each of your testimony 
today is a somewhat different tone from some of the testimony we 
received before. 

In some of our previous meetings and hearings, there is a feeling 
that the advantage lies with the cyber attacker, that the advances 
in technology are really working to the advantage of the people 
who are trying to break into systems and find out things, and that 
our response is lagging further and further behind, and for a vari- 
ety of reasons, which they have enumerated. And it is a somewhat 
pessimistic view of our country’s ability to protect against particu- 
larly sophisticated sorts of attacks. 

I would be interested in that larger sense from what you all see 
in your business dealings every day, whether you share that view 
of and concern that attacks are growing exponentially both in num- 
ber and in sophistication. And that it is going to be very difficult 
for us to stay ahead of the bad guys, if you will. 

Mr. Diffie? 

Mr. Diffie. Well, let me suggest to start with that we are ahead. 
Our economy, I know, is not as its best at this instant, but fun- 
damentally, it is a great, thriving, robust institution. Our society, 
likewise. So a lot of the way you view this issue of how many at- 
tacks there are how sophisticated they are, how much damage they 
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did you is really just a matter of setting thresholds, which are 
going to come out very emotional, because loosely speaking, any 
level of attack is irritating to us. 

And I would be very skeptical that on balance development and 
cyber attacks so far could actually be said to have slowed our soci- 
ety down very much. 

Moving to a slightly more technical level, I would say that we 
have unquestionably made major achievements in some areas of se- 
curity, which, if adequately widely deployed, would put an end to 
many of these things. And so, this again comes down almost to a 
matter of definition. When you are trying to protect, you are trying 
to protect the whole curtain wall of your fortress. And somebody 
who punches any hole through it gets credit. So we will probably 
always be chafing at the number of cases in which we failed. 

But I think that if you look at the overall development, and not 
just of security techniques, but of computer software. You will find 
it is far more robust, far more reliable, far more resistant to attack 
today fundamentally than it used to be. 

The difficulty comes out of the degree to which this is a dual-use 
technology. And the technology is in the hands of a wide diversity 
of people, some of whom don’t have our best interests at heart. 
What worries me maybe most in planning about this is that we 
think of it a lot as cyber crime and as a cyber nuisance. 

And that as so far, we have not seen any 9/11-like, let alone a 
nuclear bombing-like attack on the United States by cyber meth- 
ods. 

I believe it is still a matter of speculation whether that could by 
itself be comparable in damage. When you look at our own military 
doctrine, we use cyber warfare conjoined with physical warfare. 

But the thing that worries me is that we are not making suffi- 
cient preparation for protecting ourself against cyber attack by 
what I think of as real enemies, enemies who have assets outside 
the United States, outside the control and to some degree outside 
the retribution of the United States, who can develop and cook 
their attacks long enough that they will be really dangerous when 
they happen. 

Mr. Reitinger. I would just reiterate, Mr. Chairman, that I am 
equally positive about what industry can and will accomplish. I 
think the priority has changed. 

One area that we do have to attack is the issue that has come 
up a number of times of information sharing. Sadly, hackers are 
still better at sharing information than perhaps we in government 
and industry are. They are great at describing vulnerabilities in 
systems and building wonderful GUI-based attack tools to use. We 
need to share information to that same level. 

But I remain very positive that government and industry work- 
ing together and industry innovating will achieve new and better 
security solutions. And we are actually better off and we are get- 
ting better off over time. 

Dr. Lowery. Mr. Chairman, I would add to that that a pessi- 
mistic or defeatist attitude is not warranted. We have a very posi- 
tive outlook on this as well. There are really no technical reasons 
that we should be less secure than we are perceived to be. 
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Again, I point back to education as a prime component of this. 
That many of the problems that continue to arise, this lag that you 
may be perceiving is really a gap in education, which we could rec- 
tify if we put resources behind educating those who are using the 
technology so they use it in a more responsible manner. 

Mr. Thornberry. And Ms. Gau? 

Ms. Gau. With respect to AOL suffering a debilitating cyber-at- 
tack, I would be optimistic in saying that I don’t believe it could 
happen. However, let me just say that AOL is attacked by hackers 
on a daily basis. We see all forms, all varieties and all numbers of 
hacker attacks. And they have increased and varied in techniques 
over the years. And as a result, not only have we had to invest 
money into the systems that we have in place to monitor the net- 
work, but also the staff that we have in place to be there. We have 
also had to make sure that we are eternally vigilant about these 
issues. 

And to the extent that we remain vigilant and that we use the 
security technology that is available today, I believe we are in a 
good position. However, there is still the human element. The 
human element being the weakest link. And there, again to reit- 
erate education, it is not only on a public awareness level, but it 
is also making sure employees are trained, that they understand 
what are the steps that they need to take. 

Mr. Thornberry. And I want pursue the education issue in just 
a second. Just real briefly, are you finding it more difficult to stay 
ahead of the hackers? I mean, you said you are putting more re- 
sources into it, is it becoming increasingly difficult to stay a step 
or two ahead? 

Ms. Gau. I would not characterize it as being more difficult, no. 

Mr. Thornberry. Okay, that is helpful. 

Gentleman from New Jersey, Mr. Andrews? 

Mr. Andrews. Thank you. 

I would like to thank the witnesses for their outstanding work 
and testimony today. 

Thank the chairman and the ranking member for another in a 
series of truly edifying and challenging hearings. Thank you for 
your work. 

I want to go back to the question the chairman raised at the be- 
ginning of the questions here because I think it is the central focus 
that we have. He asked whether the panel thought that the market 
alone would bring us to a sufficient point of security or whether 
there was a point beyond that. And I think I heard the consensus 
was that although the market would take us a very long way in- 
deed that there was an increment of security above and beyond 
what the market would do. 

The second point of consensus that I am hearing is that one of 
the ways, one of the most effective ways the government can help 
us stretch the market, stretch the market solutions is through the 
creative use of our purchasing power as a customer that demands 
these products. 

The third thing that I am hearing a point of consensus is that 
that purchasing power must be carefully calibrated and distin- 
guished among various sectors. What the Agriculture Department 
would buy would be something very different than what the De- 
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fense Department would buy. That it needs to be continuously up- 
graded. A theme that I am hearing from the panel, and really from 
the members, is that if we have a static standard of what is suffi- 
cient that you are all going to leave us behind in the dust, at least 
I hope you will if that is the case. 

And the final point of consensus that I am hearing is that — I 
think I am hearing is that we need to do a surgical and thoughtful 
job of articulating what those standards ought to be. We shouldn’t 
haphazardly define the standards. 

What I would like to ask the panel is if I have misstated any 
point of consensus here, please tell me. And I say that without 
pride of authorship, I am simply reporting what I think I hear, 
number one. And number two, if it was your job to design the 
standard-setting function within the Department of Homeland Se- 
curity and within the U.S. government generally, what would that 
institution look like? What kind of institution would it be that 
would tell our purchasing people what it is they should demand 
when they buy a system that protects the Social Security Adminis- 
tration’s record? Or when they buy a system that protects the troop 
deployment databases of the Marines Corps? Or whatever else. 

And we will start with our friend from AOL at the right side. 

I, just parenthetically, my last name begins with ’A’ and in law 
school a lot of professors call on students in alphabetical order. It 
is a very harrowing experience. So when I taught law school, I 
start at the other end of the alphabet so I wanted the people at 
the other end to get their just deserts. So because you have had 
to wait so often today, we will start at your end. 

Ms. Gau. Picking the latter part of your question with respect to 
what would an institution look like that might set security stand- 
ards for the government, I think that the model of everything we 
are talking about where it would be an institution that would work 
closely with the private sector together, as we all hope to do, with 
Department of Homeland Security. That there would have to be 
dialogue to establish what the baseline security standards would 
be. 

And such an institution, presumably, would have tentacles into 
procurement processes such that they could mandate the different 
standards, just as there are other standards such as those that I 
have referenced earlier today such as accessibility standards and 
products. 

Where it might best fit, I don’t think I am really in a position 
to say either. But I think that such an attempt by the government 
to indeed mandate that as a customer and a consumer of these 
goods that government would move in the direction to push manu- 
facturers and service providers to include the baseline security 
standards is a step in the right direction. 

Mr. Andrews. I want to be clear also, as I know you said, I am 
not talking about mandating standards on the private sector. I am 
talking about mandating our own internal standards for demand- 
ing product when we go into the private sector. 

Yes, sir. 

Mr. Ianna. I think the question has to be answered this way, 
what level of security do you want to be able to espouse? Do you 
have a metric to be able to easily convey to the public that we have 
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raised the cyber-security level to this level? And we have to create 
that metric, just like we had to create the metric in network reli- 
ability. 

What are we talking about? We are talking about, you know, how 
many DPMs, defects per millions of failures you have and what 
constitutes a failure, et cetera. 

And then I think it has to be done on a — you can’t eat this ele- 
phant all in one bite. You have to do it in small bites. And every 
sector needs to define, I believe, their critical systems that they 
need to have cyber-defense around. And once you have done that, 
do we have, for example, the critical systems cyber-protected to this 
gold level in the Department of Agriculture or how long will it take 
us to get there. 

Then I think — if I were in the government, I would be trying to 
convey to people that we have a methodical way of convincing peo- 
ple that we know what we are doing. We know what direction we 
are going in. And we know how we are on our journey to get there. 

And secondly, lastly actually, it is not static. The minute some- 
body says I am protected to the gold level, a new threat comes in 
and the gold standard has to be redefined. 

Mr. Andrews. Sir? 

Mr. Adelson. I believe that that is the key is the dynamic na- 
ture. And perhaps one way to achieve a dynamic standard, if you — 
that is kind of a contradiction in terms, but — is to actually involve 
in real time, industry. And by real time, I mean having individuals 
who represent industry be part of a panel wherever this group sits 
in government, where they can provide that data and how it has 
changed in real time. 

And I suggest that just because industry, because of the market 
forces, is going to be thinking about that with a great degree of 
diligence. And I would expect that their message should be heeded, 
even across different sectors, as it applies to, you know, buying 
power within government. 

Mr. Andrews. I hear you. Boy, that would raise significant 
issues about protection of intellectual property. I mean, we want to 
do that, but we want to do it in a way that doesn’t punish the pri- 
vate sector concern for participating in that, right? 

Mr. Adelson. I think there are certainly protections that can be 
put in place so that communication can happen. I can tell you that 
it is relatively rare, although it does occur, where, you know, data 
about an incident is something that I might fear being propagated. 

However, data about the security technology itself is really most- 
ly, in terms of consumer products, you know, certainly the case, 
public data. And there is a lot out there which would go a long 
way. And certainly within the standards set, I would hope that 
these would be technologies that everyone can purchase. 

So there isn’t a lot there to hide. 

Mr. Andrews. Thank you. 

Dr. Lowery. Congressman, I think you have accurately summa- 
rized at least what we believe at Dell. And as far as how I would 
structure this entity that you have referenced, I don’t know that I 
would be an expert in helping you to architect such an organiza- 
tion. But things that you should consider when you are developing 
the standards for the government, consider what I said earlier and 
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that is that there is a baseline of security which is just prudent for 
everyone to adhere to. And then each particular application of tech- 
nology must be scrutinized in the context in which it will be used 
and security for that purpose needs to be customized for it accord- 
ingly. 

Mr. Andrews. Thank you. 

Sir? 

Mr. Diffie. I think that what we have to keep in mind is the 
breadth of the activity you are talking about. Government has a 
major movement in the last, say 20 years, to move to commercial 
off-the-shelf technology to support all its activities wherever it can, 
to narrow back the, you know, technical nuclear, the technical corn- 
sat with things. It all stems from going away with the national ar- 
senal system 80 years ago. 

Second, all of this is in some sense dual-use technology in terms 
of the role it plays in cyber-crime and cyber-warfare and cyber-se- 
curity. So you are building things out of standard components, com- 
ponents that people use for a very wide range of things in society. 

And finally, this is an international problem. We cannot afford, 
as we did during the Cold War, to think of our own security needs 
in isolation from those of our trading partners and indeed the rest 
of the world. 

So let me suggest that this organization, which is going to need 
to walk down the Potomac on its tiptoes, I am afraid, has to be a 
meeting ground with a prudent ability to manage information rela- 
tions between quite a number of constituents. Its government cus- 
tomer — and I construe that broadly; the intelligence and law en- 
forcement communities on which it will depend for a lot of the 
kinds of feedback information I have been talking about; the indus- 
try on which it will depend almost entirely for products and proc- 
esses and support; and the international community, the inter- 
national standards organizations and many different kinds of gov- 
ernmental and non-governmental and industrial organizations 
throughout the world. 

So the best I can say is I am very in favor of openness in the 
standard-setting function. And that that should be specialized so 
the cases where closed things are needed, that we should give care- 
ful thought to the way the information-restricted activities take 
place and be sure that that is subordinate to the general openness 
that will allow us to accommodate ourselves to everybody’s needs. 

Mr. Andrews. Follows your principle that secrecy creates vulner- 
ability as I think you said at the beginning. 

Mr. Diffie. Yes, actually, I think that actually this principle’s a 
little broader than this. My view is this is infeasible without a lot 
of information-sharing that has been stifled in the past. 

Mr. Andrews. Yes, sir, thank you. 

Mr. Reitinger. I will be very brief, Congressman. First off, on 
standards, one suggestion I would have is that as, again, I am re- 
peating a lot of what Whit is saying, that we avoid having specific 
government standards to the extent possible. I think if you rely on 
industry-based market-driven standards, you will find the govern- 
ment keeps more up to date than if it sets government-specific 
standards which will maybe become hoary in a shorter period of 
time. 
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The second thing is that I think it would be useful to turn and 
see what is happening at NIST under some of the processes started 
under the Federal Information Security Management Act. NIST — 
I would have to go back and reread the act, but I know NIST re- 
cently published FIPS 199, which has a categorization of informa- 
tion and information systems into risk categories. 

My understanding is that under that last act, they are going to 
go on and produce guidelines for how to protect that information. 
And that might be a very valuable process for this committee to 
look at and watch. 

Mr. Andrews. Thank you very much. 

Thank you, Mr. Chairman. 

Mr. Thornberry. Thank the gentleman for, again, asking excel- 
lent questions. 

The ranking member of the full committee, the gentleman from 
Texas. 

Mr. Turner. Thank you, Mr. Chairman. 

First, I want to compliment you, Mr. Chairman and Ms. Lofgren, 
our ranking member, on your leadership in the area of 
cybersecurity. Those who have been a part of your hearings and 
your also compliment you on the leadership you are both providing 
in this important area. 

Dr. Lowery I want to compliment Dell for your leadership in pro- 
viding or offering your Center of Internet Security Level I bench- 
mark to your customers. 

There is no question that your business model selling directly to 
customers provides an excellent opportunity to promote the pur- 
chase of a secure computer system. 

I guess your interest in providing security arose out of the De- 
partment of Defense requirements. By then turning that into an of- 
fering to others with the stamp of approval of the Center for Inter- 
net Security, it seems to me that it should become something very 
quickly that most people would want to pay for. 

Dr. Lowery. We agree with that assessment too, Congressman. 
We were directed to CIS by federal customers, who pointed to the 
CIS as a source of best practices that they agreed with. 

We evaluated the CIS and their benchmark settings, and we 
heard that a product offering where we could make those settings 
in the factory was feasible, that we could do as our customer re- 
quested. We did that, and we got it in such a way that others can 
benefit from our work and the work of CIS. 

We are very excited about the offering. We hope that it will con- 
tribute to improving the security landscape as it exists. 

Mr. Turner. Well, I commend you for it. The issue before us and 
the same one raised by Congressman Andrews: How do we rep- 
licate this? As I understand it, there is a host of entities out there 
that say they certify or they recommend certain security measures. 
Every company, you know, is looking for somebody. Not everybody 
looks to the Center for Internet Security. Some look to other groups 
out there. 

If we want to accomplish what I think is the goal that most of 
us share — self regulation — wewant to be sure the industry provides 
the leadership on security initiatives. 



63 


As has been pointed out, if government is the role of creating 
standards they will be outdated the moment that they are drafted. 

It is clear we need a viable ongoing effort among industry part- 
ners to set some standards. 

How would you suggest, Dr. Lowery, or any of the witnesses, 
that we decide on a consensus organization made up of that we 
would look to as the good housekeeping seal of approval, if you will, 
for security. We should have something so we would know that if 
it had that stamp of approval on it, then that was the best you 
could buy. As you all have said, if you don’t want to buy such a 
certified approved product then that is you choice. 

At the very least we would have provided an industry-wide ap- 
proved certification that is recognized by the buying public. Then 
we would encourage the buying public to make a choice. The reason 
I believe strongly that is the right way to go is I think security is 
on everybody’s mind. I think this problem can be solved in this 
fashion voluntarily, if industry will work in cooperation with gov- 
ernment we will have a standard-setting entity that everybody 
knows about and respects, and therefore, will follow. 

I know how it was in our house when we made our last computer 
purchase. We were thinking about security now. And I think most 
people are. I don’t think any business in America wants to be 
caught short in not providing security to its business systems. 

The liability and the risk are too great. 

So how can we get there with a standard that people will follow? 

Dr. Lowery. I think everything you said is true. And I also per- 
ceive that there are a lot of little organizations, for lack of larger 
ones. Each of them are trying to make sense out of the security 
problem and have delivered into the spaces they perceive where 
there is a gap, what they call their standard or a consensus that 
they have arrived at. 

I think all of them are valuable. None of them should be belittled 
because their stuff often comes from small sector doing something. 

But I do also see the need for convergence, a consensus process. 
Dell would also welcome seeing a more consolidated approach to 
achieving the standards. The fewer standards that there are, the 
easier it is for us to bring them to market. 

The only caution that I would give you in trying to approach a 
singular standard or a single organization, which does that, is that 
organization must understand that security is not one side fits all. 
We had to be very careful in its deliberations and in standards that 
it might recommend. To keep that in mind, that we must be sure 
that security fits the situation, that it is going to be the deployable 
technology. 

As far as the way to actually achieve the convergence, I think we 
are seeing some of that already. I am not exactly sure what to rec- 
ommend what we do to hasten the convergence. 

Mr. Turner. Anyone else? 

Mr. Diffie. Let me extend that not one but sole point as saying 
it is important to remember that security is always a secondary ob- 
jective. You always want to do something and you want to do it se- 
curely. So having an underwriters lab like stamps that would go 
on everything happens to be particularly tricky in security, because 
security is more contextual probably more than the other safety 
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technologies. And so although your car, of course, depends on how 
it is driven and how it is maintained, as well as how it was built, 
that kind of environmental characteristics are even more important 
in the security area. 

So I think that a labeling scheme, we already have several, is not 
going to be trivial to achieve. 

Mr. Reitinger. Two brief points, Congressman. First off, as you 
suggested, there are lots of good standards or other organizations 
out there developing things and certifying things such as the com- 
mon criteria. 

Second, I have got some very good news, which is although one 
size does not fit all — I agree very much with that — it is important 
to have as much consistency as possible among different people 
providing advice to consumers. 

And so Microsoft, for example, is working closely with the Center 
for Internet Security to converge our guidance on how to secure our 
products going forward. That kind of activity is taking place in in- 
dustry. We are talking amongst ourselves and we are trying to 
solve the problem. And I think we are solving the problem. 

Mr. Turner. Thank you. Thank you, Mr. Chairman. 

Mr. Thornberry. Let me delve — I thank the ranking member — 
let me ask briefly about the information sharing, because a num- 
ber — we have talked about it a lot and it has come up in different 
contexts. Mr. Ianna, you talked, I know, specifically about the 
telecom ISAC and it being successful. What I hear from others is 
that their ISACs are not nearly as successful as you have become. 
And you mentioned government funding being one of the things 
that is not the case with the others. 

And then I am also struck, Mr. Adelson, one of the comments you 
made is that we share information real well on a technical level, 
but what that leads me to think, Okay, where do we not share in- 
formation real well? That is going to be for the areas that are com- 
petitive, the things that are not so technical. And so the view has 
been expressed that there is a limit to how far information sharing 
is ever going to reach. 

That when you are dealing with competitors and industry group- 
ing, they are only going to go so far. And they will talk about 
FOIA, and then they will talk about anti-trust and then they will 
do something else that they talk about. 

Whatever it is, it is going to be an obstacle to — and I am not 
criticizing that, but it is a natural thing. 

I guess I am interested in observations — Mr. Ianna, I will start 
with you — about this subject of information sharing. Are there le- 
gitimate barriers that the federal government needs to break 
down? Or is it more a question of a trusting sort of relationship 
that has to develop over time, at least for industry to share infor- 
mation with the federal government? 

So you see ISACs as — I will say salvageable — some people say 
they are not, need to start from scratch. And if so, how do we make 
them? And I realize there are too many things to get into. But I 
would appreciate each of your suggestions on this information shar- 
ing idea. 

Mr. Ianna. Well, first of all, I think one of the other keys on the 
telecom ISAC and other structures surrounding that — I mention 
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ENRIC — is beware their time. They have been in existence for 
quite some time. ENRIC goes back almost 11 years. I don’t know 
when. Probably more than that. So there has been time when they 
worked together. 

Believe me, the first few years when we started ENRIC at NRC, 
we had the exact same thing. I can imagine that Microsoft and 
MCI and AT&T and Sprint saying we are all going to share our 
failures. All right, it was not easy, okay, number one. Number two, 
it came down to a situation that we realized that by very nature 
we were all interconnected. And we were all just interconnected. 
And the failures that we would see in one network might show up 
in another network because we all used similar types of equipment. 

And I think some of those — some of those — you know, we all use 
equipment from a set of vendors that might experience a failure. 
So want to be able to know what happened. 

And then I think that the next thing that we experienced was 
nobody likes to advertise a failure. And there was a lot of debate 
about, Well, when I have a failure, it is AT&T and can I ask 
AT&T? 

And we had this debate. And we started out as they were mask- 
ing it. And finally, after a while, we just said, Okay, here they are, 
here are the failures. And last year AT&T had 20-something FCC 
reports on this — had three. I know how many MCI had. I know 
how many Sprint had. 

But the good news of that, the good news of that is that we do 
have quarters, 40 quarters worth of statistically valid data on fail- 
ures on wire line networks. Now the debate going on at the NRC 
is others saying, Look, wireless for data networks, et cetera, will 
be voluntary. We will map the data, et cetera. 

So I think there are ways of sharing the information. And I think 
what it all comes down to in the end is that we can improve the 
situation of the whole lot. There are competitive issues. We worried 
about anti-trust. We worried about information sharing and com- 
petitive things. And we had lawyers praying over that for a while. 
And we got past that. 

And I think the end result has been that we have listed — now 
the FCC has sat in front of you, and you ask is the network reli- 
able? Can it give you a number? Can you say it is getting better 
or worse? And they can break it down by quarter. And they can 
break it down by technology. 

So I think the answer is it does work. It takes time. It takes 
trust. And the other issue of information sharing that I know a lot 
of people — and I am worried about also is when we do share infor- 
mation, is the problem about sharing information from one com- 
petitive entity to another, which you don’t want to have happen as 
a competitive concern, but then making that information then pub- 
lic. 

I think some of the protections that went into the Homeland Se- 
curity Act around information protection are good and need to be 
enforced so that we don’t have information getting pulled out under 
Freedom of Information Act, something that we have shared that 
we don’t want to become public and also that doesn’t become pub- 
lic. 
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Mr. Adelson. There are a few points that we made that I would 
like to comment on. First, regarding the telecom ISAC, I absolutely 
agree that the telcom ISAC has worked for telecommunication-spe- 
cific issues. But just using 9/11 as an example, during that crisis, 
there were between 25 and 50 extremely large critical networks 
and service providers in the United States who did not get any con- 
tact and were not part of any telecom ISAC. That is one issue. 

Secondly, on recent research you could do on the Internet would 
point to over 13,000 independent entities that are relevant to Inter- 
net stability, even for the biggest carriers. 

To put an ISAC together for Internet infrastructure would re- 
quire representation not only from network service providers any- 
more, but from content providers, enterprise and vendors. Why so 
diverse? It is a function of the hierarchy used to be a carrier sold 
to a content provider who provided services for a user and so on. 

Now it is much more of a level playing field. And those players 
need to be represented at a security level in discussing these 
issues. So I don’t know how to do that with an ISAC with the 
Internet. That is one issue. 

Secondly, you mentioned the technical communication that is 
going on. The real difference between the Internet and other indus- 
try areas where that communication happens is that the Internet 
is extremely interdependent. My ability to stay up is dependent on 
my peer — is the term used — and their ability to stay up. And so, 
because of that interdependency, there has been a tendency to com- 
municate. 

Furthermore, because security issues on the Internet are tech- 
nical in nature, we have been fortunate in that most of the commu- 
nication that is been required at least for disaster recovery are 
handled by technical people. I mean, there are exceptions, the pro- 
visioning side, for example, who somewhat separate from the tech- 
nical. But there has been some industry success there. 

And I think as we expand beyond network to network commu- 
nications and go into network and enterprise communications, this 
is where I see a central point of contact, a central group becoming 
really critical, 13,000, 50,000, however many entities require some 
critical information. I am not comfortable relying on the industry 
itself to provide that intercommunication well. 

Ms. Gau. Actually, you took one of the points I wanted to touch 
upon relating to information sharing and is there a competitive 
barrier to doing so. I think, once again here, we see the market- 
place forces in action. As we are networks connected to networks 
connected to each other, and we are in the interdependent, even 
though we have points of redundancy. 

If AOL sees a hacker attack coming on, that we might be able 
to sustain, but we might know that somebody else might not be 
able to or in more, should we say, self-centered interests, we don’t 
want anything bad to happen to anybody else because if they go 
down, we are going to get a ton of mail thrown back at us from 
their servers as an example of a denial of service attack back on 
us. 

So we are actually motivated not only to maintain the stability 
of the Internet and the ability of people, for example, to send e- 
mail to AOL, but also for us to be able to maintain our own service 
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and not have to then deal with a situation where somebody else 
has gone down. 

Additionally, in that same regard, not only are we reaching out 
to individual providers and companies and partners that we have 
that we know are going to potentially be impacted by a particular 
attack or a particular vulnerability, we do share that information 
with government and we do so in an effort to ensure that that in- 
formation is made available to the mom and pop ISP that may not 
be able to have access to that information because, as you have 
pointed out, they don’t have the resources to have somebody sitting 
here at the table. 

That is where we would really strongly like to continue to work 
with the government, in particular, the Department of Homeland 
Security and the new cybersecurity division. 

Mr. Thornberry. Mr. Ianna, let me ask you one brief question. 
You mentioned, which is not something I had thought of much be- 
fore the demands placed upon you from 50 different states for in- 
formation, which is information sharing in a little different way. Do 
you think that there needs to be some — you mentioned a template 
which implies that the federal government would require certain 
information and the same sort of thing could be sent to the states. 

Do you think that there is a need for some sort of legislation that 
preempts states from asking for the same or additional informa- 
tion? You know, we did that with ARISA on insurance where the 
federal standard is the thing that, you know, trumps everything 
else. If you are — if all of you could get demands from lots of dif- 
ferent jurisdictions which would be impossible to keep up with, it 
seems to me. 

Mr. Ianna. I don’t — I can’t speak to whether legislation at the 
federal level would be the best way to do it. I would say certainly, 
cooperation, or saying look, if we are going to have a standard, let 
us make the federal government the standard. And if I just need 
to parse out the data for this state, here is the data for that state. 

I don’t know. I could go back and research, but after the FCC at 
the federal level in NRIC, or NRC, started asking for outage re- 
ports, several states followed with that. I don’t know how many. I 
think it is probably more than a dozen or so about outages in their 
states and whether or not they followed the same rules, et cetera. 

But I think it would benefit the industry, only because of this — 
particularly in cyber defense, it is very hard to determine the geog- 
raphy of where the issue is and where it started. It might be im- 
pacting something in a particular state, but the cause might have 
been in a totally different state. 

So trying to define geographic boundaries in a cyber environment 
is not the same as trying to define physical boundaries against 
physical attacks. 

So from a cyber perspective, it certainly would be helpful to have 
a template or a focusing organization, like Department of Home- 
land Security, say let us do it this way. Let us do it once. And then 
we could give you your data, okay, that is, you know, for your 
state. 

Mr. Thornberry. I suspect in all areas of information sharing 
that differences between industries are a key thing. I mean, I can 
see a number of the things you all are talking about that require 
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information sharing for the IT sector may not apply to electricity 
or agriculture, some of the other critical infrastructures which have 
been identified and may be the same case here. Depends on how 
much the states regulate, for example, electricity or telecommuni- 
cations as to the leverage they have to put demands upon you for 
any information. 

Mr. Ianna. Just one other point that was made by the gentleman 
to my right about the telcom ISAC and the IT-ISAC. One of the 
things that we found out is because, particularly on data commu- 
nications and computer-based Internet communications et cetera, 
the telcom ISAC and the information technology computer ISAC 
are twisted together very tightly. 

For example, with the slammer virus, our security people were 
not only working with the telcom ISAC, but also obviously with the 
IT-ISAC. It was the computers on the network that were causing 
the problem with the virus and that was impacting the networks. 
So they are very tightly twisted together. And you can’t just look 
at one, they are very tightly twisted together. 

Mr. Thornberry. Good point. 

The gentlelady from California have additional questions? 

Ms. Lofgren. Just one. And I am mindful that you have been 
here a long time, and we certainly do appreciate it. I think really 
the information you have provided us, each of you today, has been 
enormously helpful. And we may want to follow up with you as we 
proceed with additional questions and ideas. 

But listening today, obviously, this is a complicated area. But it 
may be further complicated by constraints that are being — that we 
may face as we go down the road. I heard the comment relative to 
the lawyers praying over the anti-trust implications. That was a 
cute way to put it. 

Recently, we expanded the exemptions for anti-trust risk for enti- 
ties that are setting open technical standards. And I think it is im- 
portant that the openness be part of it. And I am wondering — this 
will be two questions — whether we have sufficiently addressed 
anti-trust concerns in the development of open standard setting in 
this arena? 

And then secondarily, I can’t remember who, mentioned the issue 
of the need to be able to deploy solutions in ways that are not bur- 
dened by intellectual property protection and whether anyone has 
advice for us in that area as well, those two implications of IP as 
well as anti-trust. 

Do we need to change the law in any way? 

Mr. Diffie. Well, I am not sure. I think there are ramifications 
from the question I don’t understand. But the intellectual property 
issue has come in here in two different ways. One is a fairly ordi- 
nary issue of things that are particularly — are patentable and 
therefore royalties are owing to the patent holders in turn for using 
that technology. 

The other is in this argument in the computer industry between 
open source and closed source coding practices. And that is one of 
the ones that I think presents a thorny problem because in security 
there is, as I said earlier, a very explicit respect in which closeness 
is a vulnerability. At the same time, proprietary techniques, trade 
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secrets are an essential basis of our business practices in this coun- 
try. 

So we need to find a business model that permits the users of 
products with security requirements and security implications to be 
able to verify that the products have the security characteristics 
they need. And to do this, to see if we can do this and still allow 
ourselves the benefits of allowing some manufacturers with propri- 
etary techniques. 

I don’t have a clearer statement of it than that. But I believe it 
actually is one of the research frontiers in this area and it is a 
business frontier. 

Ms. Lofgren. One of the — I mentioned to Chris Henkin a com- 
ment that — I won’t mention the fellow’s name, and I don’t think 
there is a chance in the world that the federal government will do 
this, that it was recommended by the — someone in law enforcement 
that we establish a kind of a software clearinghouse and that the 
federal government would clear, you know, all the software. I think 
that is a very bad idea. 

But the issue is how do we achieve assurance? Obviously, not 
with a government agency. But how do we do this, for lack of a bet- 
ter word, the audit function for the security? Whether it is software 
or networks or hardware, how is that best achieved? How do we 
set up a structure so that occurs? 

Mr. Reitinger. Congresswoman, I think my answer to that 
would be the one I gave when you asked a similar question earlier, 
which is making sure that the vendor that is providing the soft- 
ware has a robust software assurance and quality assurance proc- 
ess that the government can review and make a judgment upon. 
I think vendors are moving in that direction. A lot of them are 
there already. And I think it is important and valued for customers 
to know about that process. 

Mr. Diffie. So I would say in this respect we should look at the 
successes and failures of an existing model, which is that for dec- 
ades the National Security has been the executive agent for infor- 
mation security for the Defense Department and some other areas 
of the U.S. government. And they have done, in many ways, a good 
job. 

On the other hand, the mechanisms they have, whose strength 
is in the, unfortunately, their unification of intelligence and secu- 
rity and their ability to trade off between the two and make use 
of their intelligence function in monitoring the security of their 
products. 

They show no sign of being able to cope with the problem that 
we face, for the following reason. The Defense Department is a very 
large organization, but it is very unified. Everyone in the Defense 
Department knows the chain of command, starting with the Presi- 
dent down through the secretary of defense. 

And the important point about the Internet as a place is that so 
many people stand their by rights. You don’t get to vet your per- 
sonnel in the whole world. 

So we have an extraordinary diversity. And I think your sugges- 
tion is one of the major critical points. You can ask what the track 
record and what the development methodologies of your suppliers 
are. It is also true that there is an ever developing methodology in 
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two directions. One is vetting individual applications, knowing that 
you are going to be able to minimize the damage they can do you. 

This, just incidentally, is one of the targets to which Java is de- 
voted. The other is in building operating systems that have suffi- 
cient capacity to confine applications so that the applications can’t 
do damage to other things. 

And this is one: The declining cost of hardware has allowed us 
to devote more and more hardware to that explicit objective. Sun’s 
largest servers now have what is called hardware domaining, 
which is a very robust way of containing processes. 

So I think that the proposal that the federal government should 
vet all the software is on the face of it is infeasible whether or not? 

Ms. Lofgren. Well, it is a non-starter anyhow. 

Mr. Diffie. Whether it is desirable or not, it is perfectly infeasi- 
ble. But that both the original 1970s, 1980s DOD objective of build- 
ing an operating system that could maintain what the Soviets 
called praksa; prison laboratories, where they didn’t have to trust 
the staff because they weren’t going to let them go anywhere. Or 
at standpoint in Java we call sandbox or at the other end improv- 
ing software development methodology, which will have a profound 
impact not only in security but through all of our economy. I think 
both of these things will play a role. 

Mr. Ianna. I think there are — as a service provider who uses a 
lot of these different types of hardware and software technology, ei- 
ther in the provision of service directly or the support systems that 
help us provision and maintain these services, we have a practice 
where we try to test the software in our laboratory and attempt — 
and I do use the word “attempt” — to simulate many of the condi- 
tions that we may find in the network before the software and the 
hardware is introduced into the network. It is called an integrated 
test network. 

Some vendors find that process very, very cumbersome. It does 
add time to our development process and our deployment of tech- 
nology. 

But the alternative is to have software out there which may have 
an interaction with some other software out there which creates 
something that is very bad for your customers on your network. 

I would like to be able to say that we find every bug in every 
software issue that we have and we know of every interaction that 
is bad that can happen out there, that is not the case. But we do 
have — and we have shared practices in the telcom ISAC and, the 
NRIC, on ways of testing those things. 

By the way, it was interesting, at least what I was thinking 
about this issue, one of the interesting things here is we had a time 
in our recent history where we had to do this very quickly, because 
we didn’t have all the time in the world, and that was for Y2K. We 
had a date certain that we had to do something. 

And we picked a way of doing it because we couldn’t make all 
the permutations, so we shared a lot of information. And if I knew 
this software interacting with this switch with this operating sys- 
tem was okay by some other vendor’s test, I accepted that and I 
shared my tests with somebody else too. Otherwise, you would 
have, you know, even if you took one second for every test in the 
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3 years, you wouldn’t have been able to test all the permutations. 
And that worked extremely well. 

The difficulty we have in this situation is we don’t have a date 
certain when something is going to happen. And we don’t know — 
the thing that might happen is not defined and will change. And 
creating that sense of urgency around that I think is important for 
us at the government level and at the industry level to do that we 
must be cyber secure and we must take this very seriously. We do 
only because we have had failures where software was the cause. 

Ms. Gau. Fortunately, at this point, we have not suffered a large- 
scale cyber attack by a foreign government or foreign agents so to 
speak. But AOL, as I mentioned, experiences hacker attacks on a 
daily basis. And over the years, we have found that that kind of 
pounding of our systems has helped us identify security problems 
that we are then able to fix. Because as it turns out, the hacker 
in question was just a teenager working, you know, on the com- 
puter, or not working, but playing on the computer in the home, 
and wasn’t really seeking to do anything but to gain bragging 
rights for having accomplished something. 

And obviously, not everyone can do that to every product that 
they are going to put out into the market. There is only so much 
beta testing you can do. But one of the things that we have done 
with vendors of ours, particularly, for example, companies that par- 
ticipate in the shopping area on AOL, what we consider certified 
merchants. We require them to undergo security audit with one of 
two firms that we identify to them. 

Now, on a large-scale basis, that is not realistic, because there 
are costs involved. And so only the big players can really come to 
the table if they want to be in the shopping area on AOL because 
they are going to have to pay for this security audit. 

But there is no question that stress-testing of systems and per- 
haps further R&D, as well as further incubation periods for prod- 
ucts might lead in a direction where we have less products in the 
market place that you have security holes discovered in once they 
hit consumers. 

Ms. Lofgren. Mr. Chairman, we should let them have lunch. 

Mr. Thornberry. I think the gentlelady’s point is well taken. 

Let me thank each of you again for your time and your contribu- 
tion. Let me also invite each of you to continue to discuss these 
issues with the members and the staff of this subcommittee. 

As we move ahead, we are going to continue to need your input 
and our suggestions. 

For example, next week we are having this hearing on research 
and development. What areas do you think the federal government 
should concentrate its research and development in the area of 
cybersecurity? If you have thoughts on that, we would like to hear 
it. 

Again, thank you for being here. 

And this hearing stands adjourned. 

[Whereupon, at 1:16 p.m., the subcommittee was adjourned.] 
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APPENDIX 

Material Submitted for the Record 

Responses to Questions for the Record from DELL, Dr. James Craig Lowery 

1. There has been widespread concern among computer industry insiders that DHS 
is not taking information security vulnerabilities seriously enough. There is still no 
Undersecretary for Information Analysis and Infrastructure Protection, and even 
when one is in place, there is concern that information security will be relegated 
to second-class status. Industry has expressed the interest in expanding partner- 
ships with government agencies to improve security, but DHS does not appear to 
be moving quickly to embrace this idea. 

a. What do you see as the government’s role in increasing security and 
standards setting? Could it be fostered through partnerships (such as 
those done through National Institute for Standards and Technology) 
and purchasing criteria? Would government mandated standards, such 
as the Common. Criteria, be a helpful baseline or a hindrance to future 
innovation? 

Response: Dell is interested in sharing its insights and views on cybersecurity with 
the Department of Homeland Security. Overall, the government’s role in increasing, 
security and standards setting is as a customer and through its participation in or- 
ganizations such as the Center for Internet Security in an open, voluntary and con- 
sensus-based process that includes input from all stakeholders. 

Security is a moving target, and the products and services addressing security 
needs necessarily evolve as the landscape changes. Government mandated stand- 
ards would likely result in a one-size fits-all approach that fails to address the secu- 
rity problem and would also be and obstacle to innovation in our industry. Addition- 
ally, there is some concern that the process associated with the setting of govern- 
ment standards would be slow and cumbersome that technology and knowledge 
would always be ahead of government standards. 

b. From what you can tell, is there sufficient information-sharing tak- 
ing place between researchers who discover most vulnerabilities, com- 
panies who created the products and DHS? If CERT were formally con- 
nected to DHS, would that-help FedCIRC with information dissemina- 
tion and the remediation of security problems and breaches? 

Response: We support the information-sharing that is taking place with organiza- 
tions such as CERT Coordination Center, the SANS Institute, the Center for Inter- 
net Security, and the Free Standards group. These organizations are working to de- 
velop ’security solutions based on consensus and standards with the input from gov- 
ernment agencies, businesses, universities, and individual security experts and to 
disseminate information. In order for these organizations to remain effective, it is 
important for Federal departments such as the Department of Homeland Security 
to participate in these organizations. 

c. How can the government help companies be more responsive to 
known security issues? Would a law providing safe-harbor, with a sun- 
set, help encourage companies to quickly fix security issues after they 
are discovered? 

Response: The Federal Government should provide information on its 
cybersecurity needs to its vendors as well as provide its input and views to organiza- 
tions that are engaged in an open, voluntary and consensus-based process for the 
development of security standards. 

Responses to Questions for the Record from EQUINIX, Mr. Jay Adelson 

1. There has been widespread concern among computer industry insiders that DHS 
is not taking information security vulnerabilities seriously enough. There is still no 
Undersecretary for Information Analysis and Infrastructure Protection, and even 
when one is in place, there is concern that information security will be, relegated 
to second-class status. Industry has expressed the interest in expanding partner- 
ships with government agencies to improve security, but DHS does ,not appear to 
be moving quickly to embrace this idea. 

a. What do you see as the government’s role in increasing security and 
standards setting? Could be fostered through partnerships (such as 
those gone through National Institute for Standards and Technology) 
and purchasing criteria? Would government mandated standards, such 
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as the Common Criteria, be a helpful baseline or a hindrance to future 
innovation? 

Response: The government has an opportunity to assume a leadership position in 
the coordination of efforts to create common security standards. While like many 
voluntary standards, they do not require regulatory enforcement such standards can 
be useful as competitive differentiators and therefore industry-driven. 

Partnerships would be required to fulfill this need, as currently the federal, gov- 
ernment does not have the background, and relationships required on an inter- 
national level to begin this dialogue. It would be of tremendous benefit to the indus- 
try if this could change, and via the Undersecretary for Information Analysis and 
Infrastructure Protection, such expertise could be established within the DHS over 
time. 

The government has had a role in developing cyber and physical security best 
practices through the FCC’s Network Reliability and Interoperability Counsel 
(NRIC), which can provide a model and a starting point. However, in our opinion, 
NRIC is not an effective place to create these best practices going forward, as it only 
represents regulated entities, a small subset of Internet infrastructure. Migrating 
the homeland security best practices work from NRIC to DHS will allow the scope 
of that work to be expanded to include previously untapped communities and a bet- 
ter representation of Internet infrastructure in general. 

Purchasing criteria to meet certain standards, as well as process and technology 
criteria, would be inclusive in these standards. While it would be appropriate for 
the federal government to act as an early adopter of these Common Criteria, the 
purchasing power of government does not alone constitute a significant enough 
motivator to catalyze adoption of these standards. 

b. From what you can tell, is there sufficient information-sharing tak- 
ing place between researchers who discover most vulnerabilities, com- 
panies who created the products and DHS? If CERT were formally con- 
nected to DHS, would that help FedCIRC with information dissemina- 
tion and the remediation of security problems and breaches? 

Response: Our visibility into the information-sharing between DHS and other enti- 
ties is limited. Certainly, at an operational level, we have seen no indication that 
DHS has had any significant communication with elements of the industry that rep- 
resent the Internet infrastructure, outside of the major router manufacturers arid 
the top five telecommunication carriers. While five years ago this may have been 
sufficient, the Internet infrastructure has evolved into tens of thousands of indi- 
vidual influential entities that all require significant communication from DHS in 
the event of a crisis or in crisis preparation. CERT need not be formally connected 
to DHS for CERT’s information to be better propagated. The communications path 
between DHS and industry can potentially be better funded and maintained than 
the communication path between CERT and industry, and this neutral organized 
approach could incorporate other information outside of CERT in the decision-mak- 
ing process of who to tell what information. 

In sharp contrast to DHS’ current communication practice with industry, informal 
industry-based communication practice is strong between similar service providers, 
such as ISPs and telecom carriers, outside of any ISACs. Unfortunately, enterprises 
and large content providers have been excluded from this self-developed communica- 
tion due to their relative infancy in the Internet infrastructure, and therefore this 
provides an excellent opportunity for DHS to develop these practices, particularly 
amongst the largest population of Internet infrastructure businesses represented by 
enterprise and content. 

c. How can the government help companies be more responsive to 
known security issues? Would a law providing safe-harbor, with a sun- 
set, help encourage companies to quickly fix security issues after they 
are discovered? 

Response: Current communication plans from government to industry are event- 
driven. A major restructuring of this concept for the Internet industry would be nec- 
essary, shifting the approach to scheduled communication in addition to event-driv- 
en communication. Tbe nature of business revenue priority would typically defocus 
enterprises from maintaining up-to-date information, however government-approved 
standards, that require regular participation by enterprise, would ensure proper 
communication practice. 

Laws providing safe-harbor would appropriately address privacy concerns. In es- 
sence, laws that protect service providers from brand damage after an event, such 
as exemptions from the Freedom of Information Act, would be necessary to ensure 
two-way communication. 
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Responses to Questions for the Record from AT&T, Mr. Frank Ianna 

1. There has been widespread concern among computer industry insiders that DHS 
is not taking information security vulnerabilities seriously enough. There is still no 
Undersecretary for Information Analysis and Infrastructure Protection, and even 
when one is in place, there is concern that information security will be relegated 
to second-class status. Industry has expressed the interest in expanding partner- 
ships with government agencies to improve security, but DHS does not appear to 
be moving quickly to embrace this idea. 

a. What do you see as the government’s role in increasing security and 
standards setting? Could it be fostered through partnerships (such as 
those done through National Institute for Standards and Technology) 
and purchasing criteria? Would government mandated standards, such 
as the Common Criteria, be a helpful baseline or a hindrance to future 
innovation? 

Response: Government should first ensure that its procurement activities across 
Federal, State, and Local settings are properly coordinated through a common set 
of security standards. This is a logical first step for our nation — and frankly, unless 
such coordination can occur between these separate government entities, it will be 
unlikely to occur in a more diverse commercial setting. Selection of which standard 
to use is not the critical issue; security best practices are well understood and 
agreed upon by current security professionals. The more important issue is that the 
selected standard be uniformly applied — and government procurement is the obvi- 
ous place to start. 

b. From what you can tell, is there sufficient information-sharing tak- 
ing place between researchers who discover most vulnerabilities, com- 
panies who created the products and DHS? If CERT were formally con- 
nected to DHS, would that help FedCIRC with information dissemina- 
tion and the remediation of security problems and breaches? 

Response: Information sharing about vulnerabilities has certainly gotten much bet- 
ter and companies like AT&T are taking advantage of that information to better 
protect against and respond to vulnerabilities as they are identified. For example, 
information shared quickly during the recent slammer and blaster events helped 
AT&T take the necessary assessment and remediation actions that much more effi- 
ciently and effectively. Regarding CERT specifically, what is most important is that 
CERT be among the resources available to DHS as part of the overall public-private 
partnership for information-sharing purposes. It seems unnecessary for CERT to be 
“formally connected” to DHS in order for it to continue to be a valuable tool for DHS 
and the private sector alike. The much more urgent issue is the prevention and re- 
moval of vulnerabilities from commonly used products such as commercial operating 
systems and applications. 

c. How can the government help companies be more responsive to 
known security issues? Would a law providing safe-harbor, with a sun- 
set, help encourage companies to quickly fix security issues after they 
are discovered? 

Response: Government should foster a competitive commercial environment in 
which marketplace forces reward products and services that are free of security 
vulnerabilities. One area in which this can occur relates to government procurement 
(see above); another relates to a renewed assessment of the proper assignment of 
liabilities should such vulnerabilities result in business losses for users. That said, 
it is also important to ensure that companies that act responsibly by identifying 
vulnerabilities through timely and prudent evaluation, by notifying its customers 
and by otherwise handling identified flaws in a responsible manner are protected 
from liability and thus not discouraged from acting responsibly. 

2. Several experts have cited the threat of cyber attacks by well-organized and tech- 
nically savvy terrorist groups — specifically A1 Qaeda. An article in the Washington 
Post last year laid out chilling scenarios in which terrorists might carry out cyber 
attacks that could do the same amount of damage to our critical infrastructure as 
tons of explosives. Another fear is the coordination of a cyber and physical attack, 
so that our response capabilities would be compromised or even shut down just 
when we need them most. 

a. Do you agree that these threats are real? If so, how much of a pri- 
ority should they be? Are there other variations of the cyber threat that 
should be getting more attention than they have? 

Response: It is difficult for an individual private-sector entity such as AT&T to as- 
sess the degree of actual cyber-threats, especially those outside of the telecommuni- 
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cations industry, and Congress should look to government intelligence agencies, and 
not the private sector, to gauge the likelihood and severity of cyber-threats. None- 
theless, the increase of attempted intrusions and disruptions that we have identified 
over time does suggest that there are real threats, and addressing these threats con- 
tinues to be a high priority for AT&T, and should be for companies within each crit- 
ical industry sector. Like the FCC/NRIC model, each industry sector should work 
together to identify the critical systems that could be exploited to cause disruptions, 
and develop and observe voluntary best practices to improve each company’s intru- 
sion detection, deterrence and disaster recovery capabilities. This assessment must 
be done separately for each sector, and specifically for each mission-critical system 
at the “micro” and not “macro” level to be sure that characteristics unique to each 
system are identified and evaluated. Furthermore, each sector should develop meas- 
ures around these best practices so that each industry’s progress can be measured 
over time. In addition, it is important for companies that own and operate critical 
infrastructures, such as AT&T, to have ongoing communications with government 
intelligence entities to stay informed as new threats are identified. 

b. Are we, and specifically is DHS, doing enough now to address the 
possibility of large-scale cyber attacks? If not, what more needs to be 
done — is it a question of changing priorities? hiring additional per- 
sonnel? placing a higher-ranking official in charge of the cybersecurity 
issue? 

Response: The Department of Homeland Security was only created in March of this 
year, making it nearly impossible for a private-sector corporation such as AT&T to 
fairly assess its effectiveness in addressing cyber-security. Certainly more can be 
done, and naming a senior official responsible for cybersecurity will help. 

c. What is being done to research or combat the possibility of viruses, 
worms or other cyber threats morphing, so that they are impossible to 
protect against? 

Response: The global cyber community is currently investing countless hours and 
resources in the establishment of incident response teams that identify and respond 
to viruses, worms, and other cyber attacks. While this is appropriate given our cur- 
rent global cyber security posture, such security investment could be redirected to- 
ward alternate innovations that could help enable new services and hence drive the 
economy. As such, the primary research issue should involve the prevention and re- 
moval of security vulnerabilities from occurring in the first place. This must start 
with the vendors of software products that are used almost ubiquitously across the 
globe on servers, workstations, and other devices. Virtually every major security in- 
cident being experienced in recent months rely on the presence of such software 
vulnerabilities. 

d. From what you can tell, is there sufficient information-sharing tak- 
ing place between the intelligence community (and specifically the 
DHS Intelligence Analysis Directorate), which analyzes threats, and the 
science and technology arena (and specifically the Science and Tech- 
nology Directorate), where new solutions and tools can be developed to 
counteract the most likely or most worrisome threats? 

Response: The private sector is not in a position to assess the quality of informa- 
tion sharing between these two nascent directorates within DHS. 

e. Do you feel the Information Sharing Analysis Center (ISAC) estab- 
lished under Presidential Order is the right structure for information 
sharing between sectors and the federal government? What would you 
recommend as an optimal model for ISAC-like activities? How is DHS 
working with your industry ISAC? 

Response: We agree with the ISAC concept but would suggest that there is no sin- 
gle model that would meet the needs of every critical infrastructure. Infrastructure 
operators in some sectors, such as telecommunications, have a compelling need to 
communicate frequently through multiple points of interface. This is because the 
components, or segments, of the telecommunications infrastructure as inter- 
connected and the functioning of each segment has significant implications for other 
operators. These communications channels are frequently exercised because incident 
management in the telecommunications industry is a daily necessity, due to the 
widely dispersed assets, which are exposed to a multitude of threats. Other infra- 
structures, such as electric power, probably have a similar requirement. However, 
an infrastructure such as water, likely does not have the same need for many opera- 
tors to communicate with one another on a regular basis. 

For infrastructures such as telecommunications, we believe the National Coordi- 
nating Center (NCC), operated by the National Communications System (NCS), 
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which is a component of DHS, is the best model. It was established in 1984 and 
has functioned as an “ISAC” for over twenty years. The federal government operates 
the center while the private sector provides representatives for “resident” and “non- 
resident” memberships. The NCC is the focal point for coordination of disaster re- 
sponse for telecommunications under the Federal Response Plan (FRP). Government 
funding and participation in this ISAC makes a compelling business case for partici- 
pation by the private sector. 

f. How has the insurance industry reacted to the development of cyber 
attacks and cyber terrorism as a risk factor for your industry? Are 
losses caused as a result of such incidents generally covered under ex- 
isting policies, or have new products been created to specifically ad- 
dress this risk factor? Do you have any sense of the impacts on insur- 
ance costs? 

Response: The insurance industry has begun to develop new insurance products al- 
beit this market is in the formative stages. Losses caused by cyber-related terrorist 
acts are generally not covered under existing policies. Though some new insurance 
products have become available, few insurance companies are willing to take on 
such risk, and even where available, coverage is limited and costly. There has been 
no impact to our insurance costs because this risk is excluded from our policies. If 
we chose to purchase insurance that protected against loss from this risk our insur- 
ance costs would increase. 

3. Providing patches to vulnerabilities is time and resource intensive. How 
does your company address the problem of legacy equipment and software 
with respect to cybersecurity? Are older and discontinued products sup- 
ported with respect to fixing newly discovered security flaws? If so, how 
is the end user notified? Is there a role for the federal government in this 
process? 

Response: This is a significant and costly issue from a cybersecurity perspective. 
In many cases, security patches are not provided to address flaws in legacy systems 
and software, and we are left with no choice but to replace potentially vulnerable 
but otherwise operational capabilities. For example, commercial operating systems 
are often periodically “retired”, at which point vendors will no longer provide reme- 
diation, patches or support. Entities running those operating systems have no option 
but to replace them or risk the possibility that vulnerabilities could be exploited. 

4. Up to this point, cybersecurity has depended on voluntary consensus across in- 
dustry. The Federal Communications Commission (FCC) has a process via the Na- 
tional Reliability and Interoperability Council (NRIC) that seems to have worked for 
the telecommunications sector, but much of this was based on the FCC regulatory 
role for that industry. 

a. Could DHS fill this void for establishing best practices, common cri- 
teria, and standards for Information Technology products and services, 
particularly for the Internet? If so, how might that be structured? 

Response: With regard to telecommunications, the Network Reliability and Inter- 
operability Council, established in the early 1990’s, has developed best practices for 
the wireline communications industry for reliability, physical and cyber security, 
etc., and the NRIC has expanded its work in the last few years on best practices 
to address IP-based, wireless and cable services. The Council has also established 
processes for standards and for templates (criteria) for interconnection and inter- 
operability. Therefore, we do not see a void with regard to telecommunications. DHS 
should be encouraged to interact with the FCC/NRIC with regard to telecommuni- 
cations best practices. This model could be used by other sectors as well, but each 
sector should be responsible for working with the appropriate government agencies 
(e.g. perhaps DOE and FERC for the electric power industry, Treasury and the Fed- 
eral Reserve for the financial services industry), in conjunction with DHS, to develop 
and implement best practices tailored to each specific sector. 

b. Are there aspects of standards for which a mandatory approach 
might be more appropriate, as is the case, for example, in health care 
or telecommunications? 

Response: The standards process is a necessary part of the service industry. In 
telecommunications, standards are essential because suppliers and competitors are 
all interconnected using ubiquitous standards agreed to by the industry. Service in- 
dustry participants work the standards process in various standards committees 
such as ATIS and IETF for the telecommunications industry. The benefit of the 
standards process to the industry is the ability to gain consensus by all participants. 
This ensures that all “voices” are heard from and one group does not dominate the 
process. ANSI provides for accreditation to ensure that standards committees do fol- 
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low this procedure, (if they are certified). However, a mandatory approach to secu- 
rity standards would be extremely difficult, and participation may be in jeopardy 
since industry participants will have concerns and the open exchange of information 
will not be as forth coming. Rather than attempting to mandate security standards, 
a better approach is to use an NRIC-like approach (described further in 2(a) and 
4(a) above) and allow peer performance pressure to be the stimulus for improvement 
in the market throughout each sector. 

c. Some major auditing firms want to help companies assess their secu- 
rity vulnerabilities and develop plans to address them. How is the busi- 
ness case being formed to justify the additional costs? 

Response: Business Continuity is an essential process for each enterprise. Each en- 
terprise does some degree of Business Continuity and risk assessment/remediation. 
This risk assessment must examine closely the “expected value” of each security in- 
vestment, because even though the probability of loss is low, the impact could poten- 
tially be quite high. This analysis is key in order to establish accurate priorities in 
where to invest limited security resources. The use of external auditing firms helps 
the enterprise with their business continuity process. Use of auditing can be for: val- 
idation of internal risk assessment, identification of gaps, new opportunities or 
thoughts processes, certification of center operations, etc. 

The business case for auditors would be part of the business continuity business 
case. 

5. Emergency preparedness and disaster recovery are common themes for the phys- 
ical infrastructure, but there does not appear to be adequate attention to these 
areas for cyberspace. 

a. From the perspective of your industry, how should the Department 
of Homeland Security prioritize its cybersecurity activities, from threat 
detection through disaster recovery? 

Response: Priority one should involve remediating vulnerabilities in software that 
powers our critical infrastructure. Investments in software engineering process im- 
provements, research into better tools for ensuring correctness of software, and in- 
creased attention to correctness in government procurement activities should be 
paramount in the DHS plans. 

In addition, DHS alone cannot achieve the charter of the department. It will take 
partnership with the industry to develop the priorities and programs to meet the 
demands of the “new” cyber world we all live in now. Any major initiative that could 
have a significant impact on private sector infrastructures should include, from the 
outset, industry participation, guidance and expertise. For example, much has been 
said about the possibility that the government might establish a center for cyber- 
space security. However, before undertaking such an important project, government 
and industry need to work together to explore whether we should have a national 
center for cyber space security or not, and if so, who would participate, and how 
it would operate. 

b. What should be the threshold for federal involvement in the event 
of a cyber attack? When should it be left entirely to the private sector 
to respond? 

Response: While the majority of critical infrastructure is owned and operated com- 
mercially, a non-trivial percentage (15% by most estimates) is controlled by govern- 
ment. Accordingly, government must ensure that it is properly responding to cyber 
attacks for these resources. Leading by example may be the most powerful means 
for improving the overall security posture of the nation. 

In addition, thresholds for determining when federal government should get in- 
volved should be established on a sector-specific basis. In telecommunications, 
thresholds have been defined through the NS/EP process and the work of the NCC/ 
NCS. Each event is different and it is difficult to define what the threshold should 
be to capture a process that would be applicable to all events. In the cyber world, 
each event has unique characteristics and it is difficult to define what is the critical 
nature of the event. The NCC/NCS has a long history in knowing when to pull the 
service providers together for a common restoration. Many of the principles applied 
over the years to the telecommunications structure can be transferred to the cyber 
arena. The NSEP process should be adopted for these purposes. These principles can 
and should be applied to other sectors, and adjusted for each sector that reflect the 
needs and particular characteristics of that sector. In fact, the threshold could be 
different in each industry sector. 

c. What role could the federal government play in reconstituting Inter- 
net service if a major debilitating attack were to occur? 
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Response: To the degree that government-controlled infrastructure is included in 
the overall Internet community (e.g., NIPRnet, DISN, FTS-2001, etc.), government 
should obviously take the lead in coordinating proper reconstitution of such re- 
sources with its vendors, suppliers, and partners. More importantly, government 
should try to take the lead in preventing such attacks from occurring through the 
software vulnerability reduction measures outlined above. 

In addition, the government should look to the NCC/NCS, established in 1984 with 
the break up of the Bell System, to coordinate communications restoration when ap- 
propriate. Over the years the NCC has expanded its membership from traditional 
circuit switched providers to internet-related providers and vendors. In fact, during 
the September 11th event, the NCC, with its links to the White House, worked with 
industry to restore Wall Street first as part of the recovery. Continued use of the 
NCC/NCS in the “trusted’ environment is the best way for the recovery process to 
work when required. 

d. In the event of a major cyber attack, what are your concerns with 
respect to disaster recovery for your company and more broadly? Do 
you think that existing continuity and recovery planning are suffi- 
cient? If not, what more needs to be done? 

Response: AT&T has the premier physical Disaster Recovery capability in the in- 
dustry, which addresses the physical replacement of destroyed assets. AT&T has in- 
vested over $300M in infrastructure and processes that can be deployed to recover 
from such a disaster scenario. In addition, AT&T has detailed business continuity 
and recovery plans for all of our key data centers and systems. These processes are 
exercised regularly and overseen by resiliency experts at AT&T Labs to ensure that 
plans are tested and refreshed as warranted. We also monitor the health of our net- 
works constantly and can identify and address abnormalities very quickly. Even in 
these tight economic times, AT&T has continued to invest including expanding our 
disaster recovery capabilities to our key facilities outside the United States. It is im- 
portant for all entities, but especially operators of critical infrastructures, to perform 
periodic and rigorous assessments of their mission-critical functions to minimize the 
impact that disruptions might otherwise cause. 

With regard to recovery from a major cyber attack, disaster response could take 
many forms. There are basic principles to guide the recovery: first, the detection and 
analysis of traffic data anomalies and other indicia in real-time; and second: remedi- 
ation actions, which could range from applying software patches and upgrades, to 
quarantining and inoculating infected LANs, to shutting off routers to prevent fur- 
ther damage and rebooting machines using “clean” saved software. 

e. Is there a need for a coordinated international response as part of 
the efforts to protect national information infrastructures? What form 
might this response take? 

Response: Obviously, global coordination is required. Multinational corporations do 
this across their business unit structure, often in a seamless manner. 

In addition, the international environment is critical to controlling the health of the 
Internet. From a disaster recovery viewpoint, AT&T is investing in recovery for 
service nodes in Europe. 

Our Business Continuity and Risk Assessment processes are currently being re- 
freshed in light of changed conditions. Establishing a working group across national 
boundaries could have benefit just as the NRIC Council has provided benefits in the 
communications industry. Cyber attacks can come from anywhere, therefore inter- 
national cooperation at both the government and industry levels is a necessary com- 
ponent. However, currently, it is be very difficult for tbe private sector to engage 
in effective information-sharing and security coordination efforts in a global context 
because there are so many different approaches to information protection and disclo- 
sure world-wide at this time. There is a critical role for the U.S. government to play 
in structuring this partnership to ensure that U.S. corporations and citizens are pro- 
tected by U.S. laws. Active private sector participation requires significant harmoni- 
zation to ensure adequate legal protections such as protection of sensitive informa- 
tion are continually maintained. 

Response to Questions for the Record from AOL, Ms. Tatiana Gau 

1. There has been widespread concern among computer industry insiders that DHS 
is not taking information security vulnerabilities seriously enough. There is still no 
Undersecretary for Information Analysis and Infrastructure Protection, and even 
when one is in place, there is concern that information security will be relegated 
to second-class status; Industry has expressed the interest in expanding partner- 
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ships with government agencies to improve security; but DHS does not appear to 
be moving quickly to embrace this idea. 

a. What do you see the government’s role in increasing security and 
standards setting? Could it be fostered through partnerships (such as 
those done through National Institute for Standards and Technology) 
and purchasing criteria? Would government mandated standards, such 
as the Common Criteria, be a helpful baseline or a hindrance to future 
innovation? 

Response: We believe that government’s role is to lead by example on 
cybersecurity, to encourage information sharing and the development of industry 
best practices; support R&D, and to enter into partnerships with industry to im- 
prove cybersecurity in areas where it is lacking. Because cybersecurity is such a 
rapidly evolving area we do not believe that government mandated standards are 
a particularly effective approach, as such standards could quickly become obsolete. 
However, we do think that government procurement standards may be helpful in 
encouraging best practices throughout the private sector. 

b. From what you can tell, is there sufficient information-sharing tak- 
ing place between researchers who discover most vulnerabilities, com- 
panies who created the products and DHS? If CERT were formally con- 
nected to DHS, would that help FedCIRC with information dissemina- 
tion and the remediation of security problems and breaches? 

Response: To our knowledge, while there is a good deal of information-sharing tak- 
ing place among researchers and IT companies, there is not yet significant informa- 
tion-sharing between DHS and the ISP sector. We applaud the recent decision by 
DHS to create a government CERT that will coordinate with the private sector. We 
believe such a collaborative approach will create an environment that is conducive 
to information-sharing and cooperation. 

c. How can the government help companies be more responsive to 
known security issues? Would a law providing safe-harbor, with a sun- 
set, help encourage companies to quickly fix security issues after they 
are discovered? 

Response: AOL and other industry leaders already spend very significant sums of 
money on cybersecurity. However, government can foster greater responsiveness to 
known security issues through information-sharing, and by educating the public 
about security issues, as AOL does through its service. Government can play a par- 
ticularly important role by providing easy-to-access security warnings for small busi- 
ness and home users. 

Responses to Questions for the Record from MICROSOFT, Mr. Phil 

Reitinger 

1. There has been widespread concern among computer industry insiders that DHS 
is not taking information security vulnerabilities seriously enough. There is still no 
Undersecretary for Information Analysis and Infrastructure Protection, and even 
when one is in place, there is concern that information security will be relegated 
to second-class status. Industry has expressed the Interest in expanding partner- 
ships with government agencies improve security, but DHS does not appear to be 
moving quickly to embrace this idea. 

a. What do you see as the government’s role in increasing security and 
standards setting? Could it be fostered through partnerships (such as 
those done through National Institute for Standards and Technology) 
and purchasing criteria? Would government mandated standards, such 
as the Common Criteria, be a helpful baseline or a hindrance to future 
innovation? 

Response: The government has a vital and tailored role to play in cyber security. 
First and foremost, the United States Government is the owner and operator of 
some of the largest and most sensitive computer networks in the world — its actions 
regarding its own cyber security can serve to demonstrate both the importance of 
the problem and best-in-breed solutions. Accordingly, the U.S. Government must act 
as a model, buying technology engineered for security, and implementing state-of- 
the-art security practices. 

Second, the U.S. Government must attack the “knowledge gap” regarding cyber se- 
curity — even today we do not know the quantitative risks posed by a lack of cyber 
security, and in which areas public and private actions fall short of addressing these 
risks. Business leaders are very good at risk management, but some of the risks 
posed by cyber crime and cyber attack are best known to the Government and need 
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to be shared, to the greatest extent possible, with the private sector. This will en- 
hance the business case for cyber security to the benefit of all. In particular, we all 
need to know more about interdependency between sectors and how that may affect 
our economy and our nation. Moreover, even with the increasing business focus on 
cyber security and enhanced private sector action, in some areas there may be a na- 
tional or homeland security need for computer and network security above what the 
market will provide. Therefore, the government, with knowledge of the risk in hand 
and recognizing the dynamic nature of the problem, needs to conduct an analysis 
of where private action may fall short and then determine the best way to address 
this shortfall through tailored action. 

Third, the U.S. Government needs to otherwise catalyze and enhance private action. 
There is and has been considerable activity in the cyber security realm, which can 
lead to two contrary but related mistakes. The first is to think that all, this activity 
is progress, and that the cyber security problem is close to being solved. The second 
is to view this activity as mere churn without progress. In fact, considerable 
progress has been made, with the private sector increasingly focusing on and devot- 
ing resources to cyber security, and the public sector taking actions such as creating 
the Department of Homeland Security and adopting an improved information secu- 
rity governance structure though the enactment of the Federal Information Security 
Management Act. The federal government is uniquely able to continue and enhance 
this progress. It can help reduce the “churn” by examining the activity that is tak- 
ing place and identifying and supporting the private and public initiatives that offer 
the best opportunity to solve problems. It can, help to develop and support metrics 
by which the private sector can judge its status and capabilities. As identified in 
my testimony, the federal government should provide more support for cyber secu- 
rity R&D (among the topics could be improved development tools, security for Inter- 
net-scale computing, human-computer interaction and security, priority routing, 
basic protocol research, and wireless security). And with respect to information 
sharing, besides sharing its own information ( see above), the federal government can 
catalyze information sharing by the private sector by working with it to develop 
interfaces and protocols for sharing information among the various players and for 
the subsequent protection and use of that information — this would help to ease the 
burden of sharing information and increase the trust that shared information would 
be handled appropriately. 

Fourth, the U.S. Government must fulfill its particular responsibilities as a national 
government, including for national and homeland security. These include continuing 
to enhance the capability of law enforcement to catch and punish cyber criminals, 
because without an effective deterrent the amount of cyberc crime will continue to 
grow. The Government can also raise public awareness about computer security, 
and build international relationships and agreements that enhance computer secu- 
rity worldwide. 

The government role in standards setting is also vital if properly tailored — in our 
view, the market should drive the emergence of open standards. If market competi- 
tion is permitted to determine which standards succeed, users are most likely to get 
the best mix of security and value, while the process itself will ensure that more 
secure standards constantly replace those that are less secure. That said, the gov- 
ernment can and should set the requirements for its IT purchases, relying to the 
greatest extent possible on the standards developed, through market-driven means. 
This gives the government the benefit of widely interoperable and more up-to-date 
technology and processes. 

Moreover, as your question also suggests, where appropriate the government’s ac- 
quisition policies should include purchasing software whose security has, been eval- 
uated and certified under the internationally-recognized (and U.S. supported) Com- 
mon Criteria for Information Technology Security. Policies requiring the acquisition 
of software that has received appropriate Common Criteria certifications should be 
developed and applied consistently and evenhandedly, and we applaud DoD’s recent 
efforts to make clear that its security policies apply to software that has been devel- 
oped under all business, development, and licensing models. Such efforts to procure 
only security-engineered technology, and specifically such clear support for the Com- 
mon Criteria, will help strengthen the government infrastructure and motivate mar- 
kets. 

The government should, however, avoid mandating standards for use by the private 
sector. Legislated standards are likely to become quickly outmoded — indeed, they 
may be outmoded at enactment. Standards are already “following” rather than 
“leading,” that is, standards tend to enshrine best current practice rather than en- 
capsulate expected innovation. Adopting a particular standard in legislation or regu- 
lation may enshrine outdated and antiquated technology and practice on our most 
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critical infrastructures. Mandatory standards can also restrict innovation, by reduc- 
ing the benefit from developing new technology or practices that are non-compliant, 
’and also skew innovation, by favoring one technology or practice over another. Fi- 
nally, mandating standards can actually drive security to a floor. Here, as else- 
where, the government must tailor its activity to meet specific needs, and act in the 
least intrusive manner possible, to avoid damaging the market’s continuing innova- 
tion. 

b. From What you can tell, is there sufficient information-sharing tak- 
ing place between researchers who discover most vulnerabilities, com- 
panies who created the products and DHS? If CERT were formally con- 
nected to DHS, would that help FedCIRC with information dissemina- 
tion and the remediation of security problems and breaches? 

Response: Information sharing regarding vulnerabilities is certainly taking place, 
and of course I would like to see it improve. Responsible disclosure of vulnerabilities 
minimizes risk to users, the 

Internet, and the critical infrastructures that depend upon it by giving vendors an 
opportunity to develop a fix for a vulnerability before giving attackers the knowl- 
edge necessary to launch attacks. Microsoft applauds and thanks those researchers 
who follow responsible disclosure policies. 

Therefore, Microsoft is working with other industry leaders to propose and institu- 
tionalize industry best practices for handling security vulnerabilities in ways that 
more effectively protect Internet users. We are a founding member of the Organiza- 
tion for Internet Safety (OIS), an alliance of leading technology vendors, security re- 
searchers, and consultants that is dedicated to the principle that security research- 
ers and vendors should follow common processes and best practices to efficiently re- 
solve security issues and to ensure that Internet users are protected. See 
www.oisafety.org. Last month, OIS published a set of best practices for reporting 
and responding to security vulnerabilities. These guidelines, which were built with 
input from across the security community, provide specific, prescriptive guidance 
that establishes a framework in which researchers and vendors can work together 
to improve the speed and quality of investigations into security vulnerabilities, then 
jointly provide guidance to help users protect themselves and their infrastructures. 
We view these best practices as an important step in elevating standards for ac- 
countability on all fronts and among all audiences in managing security 
vulnerabilities. 

With regard to the formal connection of CERT to DHS, I would need further infor- 
mation on how such a proposal would work before commenting in detail. 

c. How can the government help companies be more responsive to 
known security issues? Would a law providing safe-harbor, with a sun- 
set, help encourage companies to quickly, fix security issues after they 
are discovered? 

Response: The U.S. Government can help companies be more responsive to known 
security issues by taking the actions described above — being a leader and securing 
its own systems, addressing the knowledge gap, catalyzing and enhancing private 
sector activity, and fulfilling its governmental responsibilities. In particular, ad- 
dressing the knowledge gap will help business both to make rational decisions about 
cyber security and risk management and to implement the best defense. 

As for your question about Safe Harbor, I would need more information about the 
proposal to comment. 


o 



